For years, organizations have relied on passwords and multi-factor authentication (MFA) based on shared secrets like SMS codes and one-time passwords (OTPs) as the foundation of identity security. The rise of computer-using agents (CUAs) will accelerate attackers’ ability to automate and scale phishing and credential-stuffing attacks with minimal effort. As a result, adopting phishing-resistant credentials has shifted from best practice to a necessity. Organizations must prioritize device-bound cryptographic solutions such as FIDO2, passkeys and certificate-based authentication to secure access to SaaS applications. Likewise, SaaS providers should ensure integration with identity platforms that support phishing-resistant credentials to strengthen the overall security posture. Password usage patterns: The root cause Organizations increasingly rely on SaaS, with the average enterprise using 106 SaaS applications. There is well-established research on why managing unique, complex passwords for so many apps can be overwhelming. * Principle of least effort: Our brains seek shortcuts to reduce cognitive load, making password reuse seem rational. * Security fatigue: Frequent password changes and complex rules frustrate users, pushing them toward reuse. As a result, users often rotate between 4–10 core passwords. According to an article by Enzoic, the average person reuses the same password across as many as 14 accounts. According to a Google-Harris Poll survey, 66% of Americans admit to reusing passwords across multiple accounts. Even when users attempt uniqueness, changes are typically trivial or formulaic, capitalizing the first letter, appending a number or adding a special character. Example: Winter2025 → Winter2025! Attackers exploit these predictable tweaks through mask attacks, systematically testing common variations. They further optimize the prediction logic by leveraging password rules exposed during SaaS sign-in processes. What’s worse? 73% of users reuse passwords across personal and work accounts, creating a direct path for attackers to access corporate resources. If the compromised user holds privileged access, the impact can be catastrophic. How attackers exploit these password usage patterns Once attackers obtain credentials through common techniques such as: * Phishing: Fake login pages capturing usernames and passwords * Data breaches: Millions of credentials leaked online * Keyloggers: Malware recording keystrokes * Man-in-the-middle attacks: Intercepting traffic on public Wi-Fi * Social engineering: Manipulating users into revealing secrets They weaponize these stolen credentials using credential stuffing; automatically testing them across multiple SaaS apps to gain unauthorized access. Evolution of credential stuffing Manual login attempts This legacy approach involved attackers manually testing stolen usernames and passwords across multiple SaaS applications. Limitations: * Time-consuming and labor-intensive. * High likelihood of triggering anomaly alerts from one or more SaaS applications, giving users time to respond before attackers can complete credential stuffing across their targeted app list. Bot-based automation To scale attacks, attackers began using bots to mimic clicks on login pages or call APIs exposed by SaaS apps where available. Over time, these bots have also evolved to bypass anti-automation defenses such as IP denylists, rate limiting, CAPTCHAs and bot-behavior detection set in place by SaaS applications. However, challenges remain: * Bots and scripts are often app-specific and require constant updates as SaaS apps change UI elements. * They demand coding expertise, custom configurations and sometimes API access. * Not all bots can bypass every anti-automation measure, forcing attackers to select specific bots for each SaaS app based on its defenses. * In summary, because web identities are implemented in bespoke ways across thousands of SaaS apps and since SaaS apps also frequently change their UI, scaling a credential stuffing attack is hard. Widespread bot protections further complicated this. Enter CUAs Computer-using agents are AI-driven systems that interact with computers and applications through their user interfaces — just like a human would. They are powered by vision-language models (VLMs) and large language models (LLMs), enabling them to combine perception, reasoning, and action planning: * Perception: Observe screens via pixel data or screenshots to interpret what’s displayed. * Understanding: Recognize and interpret UI elements—buttons, text fields, menus—just like a human. * Action: Perform clicks, typing, scrolling and navigation autonomously across apps and websites. CUAs can outperform bots and scale credential stuffing attacks When leveraged by attackers, the capabilities of CUAs make them far more effective than traditional bots or automation tools in credential abuse campaigns: Human-like interaction Unlike traditional bots or scripts that depend on SaaS app APIs or require custom automation for each app, CUAs interact directly with the same user interface humans use — removing the need for APIs or custom code. This human-like approach enabled by CUA allows attackers to significantly expand the range of SaaS applications they can target for credential stuffing. Natural language tasking CUAs can be instructed using plain language commands, eliminating the need for coding skills or technical expertise. This dramatically lowers the barrier to entry for attackers. Dynamic adaptability Unlike bots that fail or require constant modification whenever identity-related UI elements change, CUAs perceive pixels, infer elements and adjust workflows on the fly. This dynamic adaptability allows them to seamlessly handle evolving layouts and operate across diverse platforms, significantly reducing complexity. Adaptive learning Unlike bots, CUAs learn from failed attempts, optimizing attack sequences and bypassing new defenses. Resilience against anti-bot defenses CUAs use full browser stacks and human-like interaction patterns, including realistic click and typing cadence. These behaviors allow them to bypass common defenses such as CAPTCHA and behavioral analytics. Parallel execution at scale CUAs perform tasks at machine speed and in parallel, allowing attackers to launch thousands of credential stuffing attempts simultaneously — orders of magnitude faster than manual attacks. How CUAs can transform social engineering and phishing attacks These same capabilities of CUA also allow attackers to take social engineering and phishing to an entirely new level. CUAs redefine how and where phishing occurs, shifting from email to social platforms and collaboration tools, where enterprise anti-phishing controls are usually not in place and are also less effective. Using natural language, an attacker can instruct a CUA to create accounts on social platforms, post messages, build credibility and then exploit that trust to deliver phishing links aimed at stealing credentials. Beyond broad engagement, when targeting a particular user, CUAs can leverage AI to scrape user information from various social platforms and then use it for crafting highly personalized messages that establish rapport and serve as phishing lures, ultimately redirecting the victim to malicious sites. The recommended shift to phishing-resistant credentials To defend against these sophisticated attacks, organizations are encouraged by cybersecurity agencies like CISA to implement phishing-resistant credentials, such as passkeys (FIDO2) and public key infrastructure-based credentials. FIDO2/Passkeys FIDO2 security keys: These are physical devices, often portable, that a user connects via USB, near-field communication (NFC) or Bluetooth to perform authentication. They contain a user’s private key and use a cryptographic signature to securely authenticate to a service. Platform-based passkeys: These are a type of FIDO credentials that can be stored on a user’s consumer devices, such as smartphones and laptops. Authentication using these passkeys requires the user to present the biometrics or a PIN to unlock the device before using it. PKI-based credentials Certificate-based authentication/smart cards: Relies on a physical smart card that contains a digital certificate and private key. Authentication requires the card’s presence and the user presenting a PIN to unlock the private key in the card.  How these credentials resist phishing * No shared secrets: There are no passwords or one-time codes that can be intercepted, stolen by a phisher or reused in a replay attack. * Cryptographically verified: Instead of a password or one-time code, a cryptographic key pair is involved in authenticating the user; the private key is the secret, which never leaves the user’s device, and the server can verify the user’s identity without ever transmitting this secret. * Device-bound: The private key of the cryptographic key pair is bound to a specific physical device. Unless the attacker can sign in to the user’s device, the attacker cannot use the private key to generate the cryptographic signature. * Origin-bound: In the case of Passkeys, the keys are cryptographically tied to a specific website or app’s domain, ensuring it can only be used for that exact service and not on a malicious or replica site.  Call for action * Organizations: Enforce phishing-resistant credentials across all SaaS apps. * SaaS providers: Integrate with identity platforms supporting phishing-resistant credentials. * Security leaders: Treat this as a necessity, not aspirational. The cost of delay is compromise at scale. This article is published as part of the Foundry Expert Contributor Network. Want to join?

Hackers are using AI agents to outsmart old logins. It’s time to ditch passwords and move to phishing-proof credentials like passkeys.

Eyal Estrin unread, 1:35 AM (27 minutes ago)    to https://www.csoonline.com/article/4086141/defending-digital-identity-from-computer-using-agents-cuas.html Eyal Estrin CISSP, CCSP, CISM, CISA, CDPSE, CCSK Blog: https://security-24-7.com | Books: https://amzn.to/42Xai9A | https://amzn.to/3Sggbtv Twitter: @eyalestrin | Bluesky: @eyalestrin.bsky.social Reply all Reply to author Forward

SCEEUS Guest Report | The Future Russian Way of War, Part 3: Military Reform | By Konrad Muzyka, Samuel Bendett and Aleksandr Golts

Spotify video

La CUAS Masa Mancha Occidental II apoya la posible implantación de una planta de biometano en Tomelloso

64 people ☠️ This is not Ukraine. This is not Russia.👇 This is Rio. As a matter of fact, this is not the result of any military action. This is the work of Comando Vermelho, a Brazilian gang. Here'...

The U.S. Army is moving ahead with plans to develop and produce a new high-energy laser system aimed at countering unmanned aerial systems (UAS), according to a newly published Request for Information...

Saksham is a great start, and the type of program I'd like to see specified in Europe as well. The most important change I see, however, is the acknowledgement of the "littoral airspace". The Saksha...

L3Harris and IAI have signed an agreement to jointly offer the L3Harris Sky Warden aircraft for Israel’s Light-Attack Aircraft program.

Forsvarsmateriell utruster Forsvaret med relevant og tidsriktig materiell for å bidra til Forsvarets operative evne. Etaten foretar investeringer og forvalter materiellet gjennom levetiden. Dette gjel...