Stop Impersonating Your Users: Why Identity-Level Impersonation Is Dangerous and What to Do Instead

For years, platforms have used identity-level impersonation for handling support requests, allowing admins to "log in as the user," but this practice poses significant security and compliance risks, as evidenced by incidents like the 2020 Twitter breach. Impersonation breaks the link between identity and accountability, complicating audit trails and violating frameworks such as SOC2, GDPR, HIPAA, and PCI DSS. Although operational convenience and legacy systems perpetuate this practice, a safer alternative is permission-level impersonation, where support agents retain their identity while receiving temporary, user-equivalent permissions. This approach, facilitated by tools like Ory Kratos, Ory Hydra, and Ory Keto, aligns with Zero Trust principles and ensures compliance by maintaining detailed, verifiable audit logs, thereby enhancing security without sacrificing efficiency in support workflows.