The technology industry celebrated World password day, an event proposed by cybersecurity professionals for raise users and companies of the need to promote best practices in the creation and maintenance of passwords. The event is celebrated on the first Thursday of the month of May and the data indicates that it remains necessary.
And it is that the compromised credentials represent the main cause of cyber attack for the second consecutive year (41% of the cases), as indicated in the 2025 edition of the Active Adversary of Sofos report. In addition, according to this study, the sophisticated techniques, tactics and procedures (TTP) of cyberators in 2025 will allow them to easily mock traditional authentication methods. For this reason, it is essential that users and companies adopt more solid methods to protect their data against the theft of credentials.
On the occasion of World password, the specialized firm in computer security underlines the limits of the password and knowledge -based authentication methods, paying attention to three key aspects to take into account:
The limits of knowledge -based protection
Double or multifactor (2FA/MFA) authentication solutions are widespread. However, like the password, these additional protection layers are often based on secret codes based on knowledge that is shared through SMS or authentication applications. Unfortunately, many of these methods remain vulnerable. Cybercriminals now have tools that, such as Evilginx2, facilitate to avoid these protections through the automation of identity impersonation or stealing session cookies.
This means that the path of constantly postponing the moment in which passwords are obsolete, by fragile accessories, it seems plagued with dangers. The reality of the cyberamean panorama should push companies towards a paradigm shift that abandons the password model and shared secrets based on knowledge.
Webauthn and access keys. Towards a stronger multifactor authentication?
To protect against phishing, the webauthn protocol (which uses, in particular, access keys or passkeys) has the support of cybersecurity experts. With this method, when an account is created, a unique, public/private pair is generated, of encrypted keys. Next, these are stored locally: on the website server for the public key and at the user’s terminal for the private key, together with the name of the site and the user identifier.
To connect, the user no longer needs to enter a password or a secret code shared by SMS or an authentication application. Instead, the server sends a digital authentication application that can only be resolved if the user is in physical possession of a device and can demonstrate that he is the owner of the private key (by biometric verification, for example). Therefore, authentication continues to be based on two factors, but these do not depend on the user’s knowledge, but on the physical possession of the device and the biometric characteristics of the user himself. In principle, therefore, they cannot be stolen through conventional impersonation methods.
In addition, the authentication process includes a bidirectional check that allows the user to verify the identity of the service by domaining the website, sent when the server requests authentication. Unlike the methods that use passwords and secret knowledge -based codes, the user is no longer the only one who must demonstrate their legitimacy.
Precautions that must be taken to guarantee a robust and simplified authentication
This new sector standard, based on the FIDO2 standard, seems to offer proven protection against phishing (the main cause of threat to the theft of credentials), while simplifying authentication for users. However, although webauthn represents a great step forward, several vulnerabilities persist, so surveillance is imposed:
- It is essential to ensure that the device or cloud where the keys are stored is safe.
- The satisfactory transition to Webauthn requires acceptance and adoption by companies and departments.
- The theft of session cookies remains a form of attack that would allow cybercriminals to avoid this protection
It is important to keep in mind that criminals constantly improve their cyber attack methods. Therefore, adopting these technologies should be today a strategic cybersecurity priority for companies.
According to Chester Wisniewski, director, Global Field Ciso de Sopos: «We have to stop depending on passwords and shared secrets. The access keys or passkeys today represent the strongest solution to build a future without passwords, phishing and, with luck, large -scale commitment ».
