Last Friday, Troy Hunt shared that 625 million never-before-leaked passwords had been added to Have I Been Pwned, the password leak detection service. The update brought relief to our team at Clerk, which had been fighting credential stuffing attacks for the two weeks prior.

Attackers were attempting to test millions of stolen passwords in quick bursts, with seemingly endless rotating IPs and TLS fingerprints to slip past rate limiters.

While we were able to mitigate the vast majority of the attack, leaks of this scale mean that even 99.9% effectiveness isn’t enough.

So we decided to kill credential stuffing for good, with a mechanism we’re calling Client Trust.

Introducing Client Trust

Client Trust is Clerk’s new defense against credential stuffing. It works by treating every new device as untrusted until the user has signed in on it.

Here’s what that means in practice:

1. If a user enters a valid password
2. and hasn’t enabled two-factor authentication
3. and is signing in from a new client (device)

Then Clerk will automatically require a second factor, with either a one-time passcode or a magic link, depending on the application’s settings.

That’s it. No extra configuration and no guesswork. Just automatic protection from day one.

Security that adapts to reality

We know that developers don’t want to choose between user experience and security. Client Trust is designed to make that trade-off obsolete.

It’s invisible when it should be, and decisive when it must be. No more leaked-password panics. No more hoping users turned on 2FA.

With Client Trust, your users are protected even when their password is included in a 0-day credential leak.

Free for everyone

Client Trust is included in all Clerk plans, and automatically enabled for new applications.

Existing applications must enable the update manually from the Updates page of the dashboard. For most customers, it’s available as one-click update.