Cisco Talos has written a blog post discussing how criminal activity might shift in response to the embrace of stronger user authentication methods, such as universal MFA and passwordless logins.

Assuming that a few dozen key web applications shift to passwordless logins in the future, the authors predict that threat actors will shift phishing targets to cloud providers, password managers, and email providers in an effort to better control victims’ ability for account recovery. They also believe authorized session IDs will become more popular targets compared to login credentials, which will see attacks shift to target the clipboard and malware adding more capabilities to target browsers. Finally, regarding criminal market activity, new business models may emerge after passwordless logins devalue the selling of compromised accounts, creating incentives for the selling of web application vulnerabilities and focusing on malware-based attacks over phishing-based ones. Read more at Cisco Talos.