OFFER ISRAELI GVP & GM, Identity Threat Defense, Proofpoint recently  wrote:

“Attackers are increasingly focused on privileged identity account takeover (ATO) attacks because they can compromise organizations much more easily and quickly this way, as compared to the time, effort, and cost to exploit a software vulnerability (a common vulnerability and exposure or CVE). And we should not expect this trend to stop anytime soon, given that these ATOs have reduced attacker dwell times from months to merely days, with very little risk to attackers that they’ll be detected before completing their crime.”

He further wrote that the complex nature of, “management of enterprise identities, and the systems used to secure them” escalates the problem.

An example of the issue OFFER ISREAL is the recent case of RIPE NCC Account Hacking, Spanish internet Orange – went down for several hours after its RIPE account was hacked, likely after malware stole the credentials.  In this case the admin credentials.   See Edward Koacs Mobile and Wireless article  Jan  4, 2024    The setup for  Ripe NCC Access is this  

To get registered with TraitWare:

There is no password creation and storage. It is time to eliminate passwords. For privileged identity accounts, TraitWare offers, and is further developing, solutions to prevent account takeover (ATO).  

First, is TraitWare’s multi-factor passwordless authentication.  Admins are allowed only one registered device, preferably a mobile phone, as users continually need this device and maintain close control of it.  Further, a biometric can be required to open the TraitWare authentication mobile application.  A knowledge factor that can only be generated on the registered device can be added to the biometric requirement using TraiWreWare Photoauth®, a visual PIN.  The authentication of the registered device involves stored behavioral traits based on the use of the device that provides a rotating key/dynamic token, cryptographic key pair, and a one-time code.  The combination of these makes account takeover very difficult.

Second, TraitWare provides a secured authentication server that uses OAuth, SAML, and OIDC standards for access to relying parties and physical devices such as routers and PCs set up to use these protocols.  

Third,  the use of the registered mobile device can be GPS-based geofenced to only be used in selected locations.   Even if the user account is taken over and a new registered device is created, it is useless unless it is located in the selected approved locations.   The privileged account user will quickly notice the takeover since their registered device will no longer work and they will have to contact another admin to register them and disable the account takeover device.  (Note: usernames and passwords can be shared and used by multiple users, and if the registration code for a one-time password generator is obtained, it can be used on multiple  devices.)

Fourth, the use of a registered TraitWare Authentication browser extension can be required to prevent a phishing attack from directing a privileged account to use a fake login page.

While this may seem like a complex solution, most processes are transparent to the privileged account holder and thus simple to use.