Troy Hunt recently revealed that 625 million previously unreleased passwords were added to Have I Been Pwned, highlighting a serious threat in the realm of credential stuffing attacks. Clerk faced a wave of these attacks, where hackers tested millions of stolen passwords using rotating IPs and TLS fingerprints to evade security measures. Despite mitigating most of the attacks, Clerk recognized that even a 99.9% success rate isn’t enough when dealing with such massive leaks. In response, Clerk introduced Client Trust, a new defense mechanism designed to combat credential stuffing. This system treats any new device as untrusted until the user signs in. If a user enters a valid password without two-factor authentication (2FA) enabled, and they are using a new device, Clerk will automatically require a second authentication method, whether that’s a one-time passcode or a magic link. This offers a straightforward solution that minimizes the need for extra steps or configuration for developers. Client Trust aims to strike a balance between user experience and security. It's intended to be unobtrusive when not needed but becomes a protective measure when it is. This approach removes the anxiety around leaked passwords and reliance on users enabling 2FA. The feature is free for all Clerk plans and is automatically active for new applications, with existing applications needing a manual update from the dashboard. For many customers, this update is just a one-click process.