In association with HID
In many modern offices, a curious security gap exists. An employee might use a high-security encrypted badge to enter a building, yet minutes later, log into a critical corporate database using only a password and a six-digit code sent via SMS.
While the physical perimeter is locked down, the digital gateway remains reliant on a foundation that is increasingly easy for hackers to crack.
This disconnect signals a fundamental crisis in the traditional security frameworks that organisations have relied on for decades. The long-standing strategy of building high walls around a network to protect identity is failing.
As the industry moves through 2026, it has become clear that attackers are no longer “breaking in” to systems; they are simply logging in using stolen credentials.
As industry analysts have noted, identity has moved to the heart of the digital era, underpinning everything from employee productivity to zero-trust principles.
Today, identity security areas – specifically identity threat detection and response (ITDR) and strong authentication – have emerged as the top priorities for organisations over the next 18 months.
This focus is driven by the reality that hybrid and remote work have expanded the attack surface, leaving network-stored credentials vulnerable to replay and social engineering.
To secure the modern enterprise, organisations must reroute their identity strategy, moving identity off the vulnerable network layer and anchoring it firmly to the physical device, said Edwardcher Monreal, principal solutions architect at HID, an identity security company.
This “device-bound” approach represents a critical evolution in authentication, he told Techgoondu at the recent Black Hat APAC 2026 conference in Singapore.
By making an identity non-exportable and bound to a specific piece of hardware – such as a laptop, a smartphone, or a dedicated security key – the attacker’s job becomes exponentially more difficult, he argued.
This is because they could no longer simply steal a string of text but must obtain physical possession of the user’s hardware, he explained.
A primary driver of current vulnerability is the fragmented way organisations handle security. Historically, physical security teams and digital IT teams have operated in silos.
This fragmentation creates blind spots. While an employee might use a secure badge for the lobby, their digital access often relies on outdated multi-factor authentication (MFA) methods that are increasingly targeted by modern phishing kits and session-hijacking tools.
In recent years, the FIDO (Fast Identity Online) standard is the engine driving the transformation toward more secure methods.
While high-level security was once reserved for organisations that could afford the complexity of a full Public Key Infrastructure (PKI), the industry is now seeing the rise of what Monreal describes as “PKI-lite” through the adoption of passkeys.
Passkeys are now integrated into the major operating systems of Windows, iOS, and Android. Unlike traditional passwords, passkeys are stored within a device’s secure element – a dedicated, tamper-resistant hardware chip.
When a user authenticates, the device uses a private key to sign a challenge from a specific website or application. Because this signature is unique to both the device and the website address, it provides inherent protection against phishing.
The convergence of physical and digital security is a measurable trend. According to a recent HID study, 75 per cent of organisations have already deployed or are actively evaluating converged identity solutions.
The underlying logic is that the “new perimeter” exists wherever the user and the device are located.
In a converged environment, physical and digital signals work together to increase certainty. For example, if a digital account attempts to log in to a workstation from an office location, but the physical security system shows the employee never badged into the building, the system can automatically trigger an alert or block the attempt. This synergy turns the physical office into an active component of digital defence.
Managing this life cycle also increases efficiency for IT departments. In a device-bound environment, if an employee loses a phone or laptop, IT simply revokes trust for that specific device. Once deactivated, the identity held on that device is neutralised, regardless of whether an attacker has the PIN.
Monreal suggests a tactical, phased approach to rerouting identity rather than a total overhaul. The first step involves identifying high-value targets, such as IT administrators, executives with access to sensitive financial data, and personnel involved in payroll or third-party vendor payments.
These individuals represent the highest risk and are the priority for moving to device-bound, phishing-resistant authentication, he suggested.
As the industry moves through 2026, the shift away from network-centric security is becoming essential. The path forward requires a fundamental change in how trust is established, he noted.
By moving identity off the network and binding it to physical devices, organisations can close the gaps that attackers have exploited for years, he added.
“If an identity can be moved or reused, it can be bypassed,” he explained. “By rerouting our focus back to device-bound trust, we ensure that identity cannot be stolen because it never leaves the hardware in the user’s hand.”
He added: “In this new landscape, the most secure move is to stop defending a perimeter that no longer exists and start building a foundation of trust at the hardware level.”
