Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Account takeover
FIDO2

Top 3 Account Take Over (ATO) attack vectors to watch

Justin Soong
⬤
May 13, 2025
Share
Top 3 Account Take Over (ATO) attack vectors to watch in 2024Top 3 Account Take Over (ATO) attack vectors to watch in 2024

Account takeover (ATO) attacks, where unauthorized users gain access to someone's digital accounts, have become increasingly sophisticated and frequent, and rates of attack have increased in 2023. We explore some of the vectors that will be come more prolific in 2024, and some mitigating controls.

Here are the latest stats from 2023:

  • There was a 354% increase in ATO attacks compared to the previous year, according to Sift’s Q3 2023 Digital Trust & Safety Index.
  • A report by Security.org and Deduce revealed that 22% of adults in the U.S. have experienced account takeover attacks, affecting around 24 million households.
  • According to the same Sift report from Q3 2023, 73% of consumers hold the brand responsible for ATO attacks and the security of account credentials.
  • Sift’s Q3 2023 Digital Trust & Safety Index also found that only 43% of individuals affected by account takeovers were informed by the concerned company about their compromised information.
  • SpyCloud's 2023 Annual Identity Exposure Report highlights that there was a 72% rate of password reuse among users involved in two or more breaches in the last year, marking an 8% increase from 64% the previous year.
  • The Aite-Novarica 2022 U.S. Identity Theft report states that 24% of ATO fraud victims had their contact details altered post-incident, a tactic used by fraudsters to reroute communications to themselves instead of the legitimate account holder

‍

The Top 3 attack vectors for ATO in 2024

Session Hijacking/MFA By-pass

Session hijacking has to be the most prolific attack in the last year, with many high profile platforms falling to session hijacking.

The attack is very simple, a legitimate user authenticates with an application, receiving a session token/cookie, the user may have performed 2FA/MFA in that process, thus giving the perception that the session/cookie can be highly trusted.

This highly privileged and often long life session is now a prized piece of data for a cyber criminal to exfiltrate and steal, giving open access to the applications sensitive data or actions to be able to perform e.g executing a bank withdrawal or exfiltrating Personally Identifiable Information (PII) data like date of birth, addresses, and list of transactions.

How does a session get stolen or hijacked?

  • 3rd party browser extensions, can sniff out sessions on domains
  • Rooted or malware infected mobile devices and OS can intercept network requests within devices
  • Public WiFi or unsecured networks - unsecured networks allow for Man in the middle attacks which can impersonate popular social login providers (like Google or Facebook) as an example
  • Poorly implemented customer support systems - In a recent high profile session hijacking attack, a browser session recorder contained these prized sessions, and these sessions were breached and used for further lateral movement

How to mitigate session hijacking risk?

  • Up-lift step-up authentication to use phishing resistant factors like FIDO2 Passkeys, which not only offer security improvements but great usability and user experience for your customers
  • Constantly evaluate the risk of sessions or user actions, and issue step-up authentication flows on high risk transactions
  • Reduce the time to live/time out of sessions
  • Detect malware on devices and decline transactions that have been initiated from infected devices

‍

Credential Stuffing/Re-used passwords

This is is a tried and true ATO attack vector that is relatively cheap to execute and still yields a great success rate, these attacks have evolved rapidly to evade controls such as bot protection CAPTCHAs, through next generation credential stuffing bots.

These next generation of credential stuffing bots exploit the poor UX of frustrating captcha riddles, in some instances creating attacks that put every customer even good ones through end-less captcha loops, forcing platforms to reduce thresholds to reduce good customer impact. Other techniques involve being able to easily solve CAPTCHAs through generative AI and performing low and slow attacks that sit under thresholds that trigger challenges.

Impossible Captcha - Microsoft Community
Highly frustrating CAPTCHA puzzles

On-top of poor mitigation techniques, the fundamental flaws in passwords as an authentication factor exists via the following:

  1. Re-use of passwords - offering passwords as primary option even with password complexity requirements is null and void because the majority of end-users just re-use passwords, and it only takes 1 data breach or a successful phishing attempt to create a domino effect for a cyber criminal to exploit
  2. Reluctance to implement MFA/2FA factors - The issue is 2 fold, a reluctance of platforms to implement MFA across the board and the reluctance to enforce these MFA controls within applications.
    1. Typical excuses that come which re-enforce the reluctance is the lack of regulatory/compliance requirements, impact to customers and the lack of resources to prioritize the roll out of strong authentication flows to customers

How to mitigate credential stuffing/re-used password risk?

  • MFA/2FA is your primary line of defense, enforce MFA particularly on new and un-trusted devices
  • Go passwordless - Remove the password box completely and couple it to the introduction of passkeys

‍

One time password (OTP) Code Phishing

One-Time Password (OTP) code phishing is a sophisticated form of phishing where attackers aim to steal the temporary authentication codes that are often used as part of a two-factor authentication (2FA) system. Unlike traditional phishing, which typically targets usernames and passwords, OTP phishing focuses on intercepting or deceiving users into revealing their time-sensitive codes.

phishing graph
Phishing diagram courtesy of our partners Yubico

Here's how it typically works:

  1. Initial Compromise: The attacker tricks the victim into providing their username and password. This is often done through a standard phishing attack, such as a fake login page for a service the user trusts.
  2. OTP Request: When the victim attempts to log in with their credentials, the legitimate service sends an OTP to the victim, as part of its standard 2FA process.
  3. Phishing for the OTP: At this point, the attacker, having the victim's login credentials but lacking the OTP, will craft a follow-up phishing message. This message often urges the victim to share the OTP they just received, sometimes under the guise of "verifying their identity" or "preventing unauthorized access" to their account.
  4. Code Interception and Misuse: If the victim falls for this second phase of the attack and shares their OTP, the attacker can use it to complete the login process. Since OTPs are generally time-bound, the attacker acts quickly to gain access to the victim's account.

How to mitigate OTP code phishing risk?

  • Phase out phish-able authentication factors like passwords, pins, and OTPs
    • Uplift customers into Passkeys/FIDO2 security keys, and deprecate use of OTPs
  • Educate customers on the risks of phishing and how to spot common phishing techniques
  • Opt-for end to end encrypted message channels to deliver OTPs like WhatsApp for business
Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Account takeover
FIDO2

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies