The Age of Paradoxical Security

Why, after decades of security innovation, does the volume and cost of digital fraud appear to accelerate?

July 2, 2025
opinion

Why, after decades of security innovation, does the volume and cost of digital fraud appear to accelerate? This question haunts boardrooms, security teams, and individuals navigating the digital world. The frustration is palpable; every additional security prompt and each new authentication method was intended to make us safer. Yet, the data tells a different story. The global cost of online fraud and related financial crime is a staggering figure, with some estimates placing the total economic impact, including productivity losses and remedial costs, in the trillions of dollars annually.¹ The sheer volume of identity-related crime remains a significant challenge; in the United States alone, the Federal Trade Commission (FTC) received 1.1 million reports of identity theft in 2023.²

This phenomenon is not merely a matter of user error or the latest malware strain. A deeper paradox is at play: the more security layers that are added to existing systems, the more friction is introduced into the user experience. This friction, in turn, drives behaviours that increase risk, a condition known as “authentication fatigue.” The problem appears to be architectural, not merely procedural. It is, therefore, imperative to re-examine the foundational assumptions upon which digital identity and its protection are built.

The Authentication Paradox: Why More Security Can Mean More Fraud

The Illusion of Control: Layering Security on a Flawed Foundation

The prevailing digital security model — passwords, PINs, and multi-factor authentication (MFA) layered atop one another — draws its inspiration from the physical world: vaults with single-entry points and heavily guarded doors. This metaphor, however, is fundamentally misaligned with the nature of the internet. We are applying security concepts designed to protect a singular, observable vault to a digital ecosystem that is more akin to a colander, riddled with millions of interconnected holes by design.

This layering of disparate solutions has led to significant complexity. Today, enterprises deploy a multitude of security tools, with some studies indicating that larger organisations use an average of 50 to 60 different security vendors.³ This proliferation results in overwhelmed IT teams, diminished threat detection capabilities, and a user experience often described as “security whack-a-mole.” What began as incremental progress has evolved into a complex, brittle system that frequently fails to deliver genuine protection. This accumulation of tools not only increases the operational burden but also introduces conflicting policies and interfaces, hindering a swift and coordinated response to emerging threats.

The Rise of Authentication Fatigue and Identity Sprawl

From the user’s perspective, the system is becoming untenable. The demand for endless logins and verifications incentivises shortcuts, such as password reuse or mindlessly approving a push notification to gain access to a needed service. This is authentication fatigue, a systemic vulnerability with measurable consequences.

The problem is compounded by “identity sprawl,” where a single individual must manage a vast portfolio of digital credentials. Research indicates a significant challenge for organisations, with one survey revealing that 60% of companies manage over 21 digital identities per user.⁴ This landscape fosters risky behaviours. Ironically, younger, digitally native generations exhibit a high degree of confidence in their ability to navigate the online world, yet they experience higher rates of scam victimisation. One 2023 report found that 34% of Gen Z and 24% of Millennials reported losing money to online scams, compared to older generations.⁵ Their confidence has not insulated them from harm; rather, it has engendered a degree of complacency within a system that encourages insecure workarounds. The issue is not simply user carelessness, but evidence that the security architecture itself is unsustainable.

The Arms Race: New Fraud Techniques Meet New Security Measures

AI-Powered Attacks: Deepfakes, Phishing, and Social Engineering

The fraud landscape has been dramatically reshaped by artificial intelligence. Attackers now leverage AI to create highly convincing deepfakes for business-critical video calls and to generate sophisticated, personalised phishing emails at an unprecedented scale. One report noted a 3,000% year-over-year increase in deepfake-related fraud from 2022 to 2023.⁶ These technologies target not just technical vulnerabilities but human psychology — our habits, impatience, and desire for convenience.

More chilling is the data suggesting that as attackers become more sophisticated, our collective vigilance may be waning. The sophistication of these AI-driven attacks now routinely outpaces traditional detection methods, compelling organisations to recognise that legacy defences are no longer sufficient.

The Limits of Multi-Factor Authentication

Multi-factor authentication was widely adopted as a critical defence. For a time, it was highly effective. However, the security arms race continues. Attackers now deploy “MFA fatigue” or “MFA bombing” attacks, overwhelming users with a flood of approval requests until one is accepted, either by accident or out of sheer exhaustion.⁷ Techniques such as SIM swapping and the hijacking of authenticated sessions have also evolved to bypass MFA protections.

This has left security professionals feeling ill-equipped for the next wave of threats. A 2023 survey revealed that 65% of IT and security professionals feel unprepared to defend against AI-driven cyberattacks.⁸ In practice, excessive authentication hurdles can degrade security by encouraging users to find ways around them. MFA remains a necessary component of a robust security posture, but it is increasingly insufficient without a concurrent rethinking of the underlying identity architecture.

The Flawed Architecture: Centralization and the Data Honeypot Problem

Centralization Breeds Systemic Vulnerability

The practice of concentrating vast amounts of sensitive personal and financial data in centralised, internet-connected repositories creates highly attractive targets for malicious actors. These “data honeypots” are a predictable outcome of an architectural model that prioritised convenience and scale over security. Every new breach exposes the systemic weakness of this approach; a single successful attack can have cascading consequences, leading to widespread identity theft, financial fraud, and a significant erosion of public trust.⁹ The aggregation of personal data in a handful of locations has fundamentally altered the risk landscape, turning isolated incidents into events with far-reaching implications.

The Architecture Analogy: From Vaults to Colanders

Our industry’s metaphors have power. For years, we have clung to the concept of the digital vault — sealed, singular, and impenetrable. The reality of our interconnected world is closer to that of a colander: porous, distributed, and inherently leaky. The challenges we face today, including rampant data breaches and the erosion of privacy, are not unforeseen consequences. They are the predictable result of building our digital world on a flawed identity architecture.¹⁰ Challenging these foundational assumptions is the first, necessary step toward building a more resilient and trustworthy digital ecosystem.

Toward a New Identity Architecture: Principles for Digital Trust

Decentralization and User-Centric Design

A new paradigm is emerging, one that places the individual, not the institution, at the centre of digital identity. In decentralized or self-sovereign identity models, the individual possesses and controls their own identity credentials, sharing them on a case-by-case basis without reliance on a central authority.¹¹ This approach distributes risk, dramatically reduces the attack surface of data honeypots, and empowers users with genuine control over their personal information.

This is not a utopian ideal but a pragmatic response to systemic failure. For an organisation, this model offers a path to operating without the significant liability of storing, securing, and perpetually auditing massive troves of personal data. Privacy and compliance can become natural outcomes of the architecture, rather than sources of perpetual anxiety and cost. While real-world adoption requires cooperation, open standards, and technological maturity, the benefits — reduced liability, strengthened trust, and a foundation for genuine innovation — are too substantial to overlook.

Pragmatic Steps for Business Leaders

The transition away from the current paradigm can begin with the following pragmatic steps:

  1. Recognise the Limitations of Incremental Fixes: Understand that while tools like MFA are necessary, they are ultimately patches on a broken model. As some critics argue, “a genuine solution requires a fundamental architectural shift.”¹²
  2. Evaluate Emerging Decentralized Solutions: Invest time in understanding decentralized identity technologies and support the development of open standards that foster interoperability.
  3. Prioritise Architectures that Minimise Friction and Centralized Risk: Adopt design principles that reduce the amount of personally identifiable information (PII) your organisation stores. Employ non-correlatable identifiers to prevent tracking across different services and leverage privacy-preserving verification methods where feasible.

By taking these steps, organisations can begin to measure success through new metrics, including reductions in user-reported authentication fatigue, lower rates of security-related support tickets, and, ultimately, a decline in successful breach incidents. Over time, these benchmarks become the indicators of a successful architectural transformation, leading to enhanced customer loyalty and a more resilient security posture.

Conclusion: The Moment for Change

The authentication paradox is a structural flaw in our digital infrastructure. It cannot be resolved by doubling down on the same tools and metaphors that created the problem. The future of digital security and innovation belongs to those willing to question foundational assumptions and invest in architectures that place individual empowerment and digital trust at their core. The exploration of user-centric, decentralized authentication models is no longer a theoretical exercise but a strategic imperative for any organisation seeking to thrive in the coming decade.

Footnotes:

¹ Estimates on the global cost of cybercrime vary widely depending on the methodology. For instance, a 2023 report by Cybersecurity Ventures projected that global cybercrime costs would reach $9.5 trillion in 2024. Source: Morgan, S. (2023). “Cybercrime To Cost The World $9.5 Trillion Annually In 2024.” Cybercrime Magazine. Available at: https://cybersecurityventures.com/cybercrime-to-cost-the-world-9-5-trillion-annually-in-2024/

² Federal Trade Commission. (2024). Consumer Sentinel Network Data Book 2023. Available at: https://www.ftc.gov/system/files/ftc_gov/pdf/CSN-Data-Book-2023-Final-508.pdf

³ Research from firms like Statista and various cybersecurity vendors consistently shows large enterprises using dozens of security tools. A 2022 study by Panaseer noted that 75% of large enterprises use more than 50 different security tools. Source: Panaseer. (2022). “2022 Security Leaders Peer Report.” Archived results available through industry publications.

⁴ SailPoint. (2022). The Horizons of Identity Security. The report highlights the growing complexity of managing digital identities within enterprises. Available at: https://www.sailpoint.com/identity-library/the-horizons-of-identity/

⁵ Deloitte. (2023). 2023 Global Survey on Scams and Financial Crime. The report details generational trends in scam victimization. Source: Deloitte. (2023). “A new lens on the landscape of digital fraud.” Available at: https://www2.deloitte.com/us/en/insights/industry/financial-services/global-fraud-and-scams-survey.html

⁶ This statistic is widely cited, originating from a report by Onfido. Source: Onfido. (2024). “Identity Fraud Report 2024.” Available at: https://onfido.com/resources/reports-surveys/identity-fraud-report-2024/

⁷ MFA fatigue attacks have been notably used in high-profile breaches. Cybersecurity agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued alerts regarding these tactics. Source: CISA. (2022). “Alert (AA22–279A): Lapsus$ and Related Threat Groups Targeting Multiple Sectors.” Available at: https://www.cisa.gov/news-events/alerts/2022/10/06/cisa-and-fbi-release-advisory-lapsus-and-related-threat-groups-targeting-multiple-sectors

⁸ Splunk. (2023). The State of Security 2023. This annual report surveys security leaders on their top concerns and readiness for emerging threats. Available at: https://www.splunk.com/en_us/form/the-state-of-security.html

⁹ The concept of centralized data repositories as “honeypots” is a long-standing principle in information security literature, often discussed in the context of risk management and system architecture design.

¹⁰ This analogy is used by proponents of decentralized identity to illustrate the inherent flaws of centralized network security. For an example of this line of reasoning, see the works of Christopher Allen, a pioneer in self-sovereign identity. Source: Allen, C. (2016). “The Path to Self-Sovereign Identity.” Available at: http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

¹¹ The World Wide Web Consortium (W3C) is a key body standardizing the technologies for decentralized identifiers (DIDs) and verifiable credentials (VCs). Their specifications provide a technical foundation for these models. Source: W3C. “Decentralized Identifiers (DIDs) v1.0.” Available at: https://www.w3.org/TR/did-core/

¹² This quote or sentiment is common among advocates for fundamental architectural change in digital identity, such as those in the self-sovereign identity community. It reflects the view that incremental improvements to the existing centralized model are insufficient to solve its core problems.

Author
Dan Sutherland
Identity is not a product
The increasing trend among governmental and corporate entities to conceptualise and manage human identity as a product is fundamentally flawed. The approach is not only morally problematic, but also technically unsound.
Exploring Call Fraud
Since Telephone operators were replaced by dial phones, call fraud has been a problem, today it is a huge global industry. We explore how and why this problem remains so difficult to eradicate.
Your security problem is an identity problem
It’s only going to get more difficult for organisations to protect themselves, their customers and their data as the technology the hackers use gets better. In many cases organisations simply aren’t ready for today's challenges, let alone those which are coming
© Copyright Self Group Limited 2019-2025 All Rights Reserved