Cybercriminals are increasingly shifting away from network-based attacks to target a more reliable vulnerability: identity.
According to the 2025 Verizon Data Breach Investigations Report, 88% of basic web application breaches involved the use of stolen credentials, sometimes serving as both the first and only action.
Security teams know credential compromise works because it preys on the same human behavior they work to manage every day. In fact, 63% of employees admit to bypassing privileged access controls to work more efficiently, underscoring the risk of high-friction authentication processes that encourage workarounds.
Yet, while security leaders recognize the need to upgrade legacy access control systems, many organizations stick with weak, outdated credentials because they’re worried about the potential cost and operational disruption of replacing them.
The gap between security aspirations and investment is reaching a breaking point. To reduce long-term risk while keeping the business moving, security leaders must embrace a phased, incremental approach to modernizing access control.
Legacy access control systems amplify credential-based attacks
For bad actors, a credential-based attack is typically the fastest and quietest path to lateral movement. By abusing an employee’s legitimate credentials, they can gain initial access to sensitive data and systems without generating visible indicators of compromise.
While attackers often use infostealer malware or phishing and social engineering techniques to obtain employee credentials, insecure legacy credentials make their job far easier. A glaring example is the continued use of low-frequency proximity cards that are susceptible to theft and cloning. Once an attacker has a badge in hand, they can enter physical spaces while appearing to be a legitimate user.
In settings with shared workstations or printers, unauthorized physical access can quickly escalate into broader exposure. An attacker may be able to use the same credential to access unattended workstations and shared printers, and potentially breach internal systems and applications.
The access control industry has addressed these threats with new technologies that minimize friction and risk. For example, mobile credentials are encrypted and bound to a user’s smartphone, making them nearly impossible to clone or duplicate and offering convenient access for employees.
Likewise, FIDO authentication addresses the root cause of many credential-based attacks by eliminating phishable passwords. Instead, FIDO authentication generates unique cryptographic keys that are securely stored on a user’s device. An employee can quickly authenticate using an authenticator app and a biometric factor or pin, eliminating the burden of managing passwords and helping organizations enforce Zero Trust principles.
Despite these advancements, many organizations stall their transition to modern access control technologies, leaving their environments exposed. For security leaders, the first step in closing this gap is dispelling common misconceptions about modernization and clearly positioning it as a critical risk-mitigation investment — not a “nice to have.”
3 ways security leaders can drive access control modernization
With the average cost of a data breach reaching $4.4 million, organizations can’t afford to delay critical access control upgrades. As credential-based attacks increasingly slip past legacy systems, security leaders need practical, low-disruption strategies to modernize defenses without derailing operations or employee productivity.
Start with these three strategies to move your organization forward:
1.Assess your current environment:
Before planning upgrades, conduct a comprehensive audit of your existing physical and logical access controls. For example, you may leverage proximity cards across multiple endpoints in your environment, such as front door access, single sign-on and secure printing.
Through this evaluation, you can identify the highest-risk vulnerabilities in your environment. The use of proximity cards for single sign-on, for instance, presents a greater security concern than endpoint access, given the potential for data theft and subsequent compliance violations.
In environments burdened by credential sprawl, defining these priorities brings much-needed clarity, surfacing targeted upgrade opportunities that streamline and unify access across the organization. In turn, you lay the groundwork for teams to collaborate effectively on a modernization approach.
2.Align internally on a phased modernization strategy:
Once priority use cases are clearly defined, the next step is to align stakeholders across physical security, IT and cybersecurity teams. By setting clear objectives and establishing shared ownership, you can support timely decision-making and avoid stalled initiatives.
With cross-functional buy-in, you can prioritize targeted initiatives, such as deploying dual-technology readers that support both legacy and modern credentials. This approach helps organizations gradually transition away from existing infrastructure while minimizing disruption.
As you move into early deployments, create shared success metrics that enable teams to evaluate progress and address issues collaboratively.
3.Prioritize the employee experience:
When piloting technology with a small user group, prioritize solutions that are designed to streamline the employee experience.
For example, testing mobile credentials across doors, workstations and single sign-on allows you to evaluate the use of a single credential for multiple endpoints. Be intentional about collecting employee feedback on how this access method compares to legacy credentials in terms of speed and convenience.
During your pilot process, also note the level of support your vendor offers, since their guidance and responsiveness will impact the success of your modernization efforts going forward.
Modernizing access control without disruption
Across industries, identity has become the new security perimeter, and legacy credentials no longer offer sufficient protection. As credential-based attacks grow more advanced, organizations that continue to rely on outdated access controls are accepting unnecessary risk.
The good news is that modernization doesn’t have to mean disruption. By aligning internal stakeholders and rolling out new technology in phases, security leaders can reduce exposure, improve the employee experience and future-proof their environment against evolving threats.
Join our LinkedIn group Information Security Community!
