Leaving Passwords and Developing Phishing-Resistant Users
Passwords were once considered a sufficient form of online authentication, but are now widely recognized as an insecure form of authentication that puts users at high risk of modern cyberattacks like phishing. Even the strongest passwords can be guessed, stolen, or intercepted, and once compromised, malicious actors can easily bypass old forms of multi-factor authentication (MFA) and gain access to personal information.
Organizations largely understand the risks of relying solely on passwords for online account security and are looking for ways to become more cyber resilient. Progress is certainly being made: the UK government recently introduced regulations to protect consumers from hacking and other cyberattacks, including banning smart device manufacturers from setting weak, easy-to-guess default passwords such as “12345.”
However, more needs to be done to achieve true cyber resilience and resistance to phishing attacks. They are the number one cause of successful cyberattacks today, with more than 80 percent of attacks resulting from stolen credentials.
As awareness of password-related cybersecurity risks grows among individuals and organizations, further regulations are expected worldwide. Ultimately, the safest option is to eliminate passwords altogether in favor of phishing-resistant authentication methods and focus on developing phishing-resistant users.
Regional Director (UK & Ireland) at Yubico.
Towards a passwordless future with password keys
Passwords, which rely on remembered shared secrets, urgently require a more secure alternative. The proliferation of passkeys represents a significant advancement for authentication technology to achieve this goal worldwide. Passkeys are often stored on devices such as phones, computers, or phishing-resistant hardware security keys. Using asymmetric cryptography, each passkey consists of a public and private key linked by complex mathematical formulas. The hosting site or application stores the public key, while the private key remains secure on the user’s device.
Adopting phishing-resistant MFA, device-based access codes such as hardware security keys, is critical for robust protection against advanced cyberthreats. These keys provide a reliable defense against remote attacks, making physical access non-negotiable for authentication. With 91 percent of cyberattacks starting with phishing, secure and convenient authentication methods like these reinforce the need to ditch passwords for good.
When logging in to online accounts and services, authentication occurs via a validation process and a “handshake” between two keys. This approach addresses many of the vulnerabilities associated with traditional passwords. The good news is that passkeys are inherently phishing-resistant; they cannot be intercepted or stolen by external attackers. Additionally, each passkey is specific to a website or app, which prevents credentials from being sent to phishing sites even if the user is tricked.
Some applications or services that support passkeys allow users to choose between synchronized and hardware-bound options. Because they do not require a battery or internet connection, hardware security keys provide reliable authentication in environments where mobile devices are limited or unavailable to users.
Ultimately, the most secure method of defending credentials is to use device-based passwords stored on security keys. This provides a robust security solution for both consumers and businesses, especially those focused on strict compliance standards.
What is the future of passwords?
The overall popularity, growth, and adoption of passkeys will increase over the next few years as individuals and businesses alike realize the importance of going passwordless and adopting MFA solutions that truly prevent phishing attacks. They will become a foundational part of security best practices within many organizations. With Apple, Google, and Microsoft already using passkeys internally to support staff, while also adding support for passkeys for customers to access their sites, others are expected to follow suit soon.
It is more urgent than ever that more platforms and services enable passkeys and create a safer internet for everyone. As passkeys gain popularity around the world, hopefully this will result in a decrease in the use of passwords and a significant decrease in the success of phishing attacks worldwide.
Ensuring users are phishing-proof is key to true cyber resilience
However, organizations increasingly need to do more than just deploy the right security tools to maintain the highest level of security and eliminate phishing attacks altogether. While the primary security control for enterprises has traditionally been to prevent phishing at the point of authentication, the rollout of new phishing-resistant authentication has pushed user accounts into a hybrid state with both phishable and phishing-resistant credential types.
As a result, the risk of falling victim to phishing attacks increases exponentially as users move between platforms and devices, and between personal and corporate apps and services. Many conventional authentication techniques are inherently phishable, meaning that platforms and enterprises must improve and secure their processes for issuing credentials, registering devices, and signing in to passkey providers.
However, organizations often opt for temporary phishing user registration and account recovery methods when a user is onboarded or their device is lost or stolen. This piecemeal approach creates convenient windows for a phishing attack to unfold and increases the challenges for enterprises to consistently protect their systems and data, and even remain compliant.
So the secret to ensuring a user or employee is well protected is to focus on developing phishing-resistant users. Rather than just a reactive measure, this is a proactive strategy to eliminate the risk of phishing by eliminating all phishable events throughout the user lifecycle.
To achieve this, organizations must equip their employees with phishing-resistant MFA and implement phishing-resistant account provisioning and user recovery procedures for everyone. This is supported by the use of purpose-built and portable hardware security keys as the foundation for the highest possible security. Finally, organizations must leverage technology-driven solutions that reduce the reliance on user education, while also providing essential education on the principles and benefits of phishing-resistant MFA for business and personal use.
Secure authentication that moves with users across devices, platforms, and services, regardless of how they work, is not a utopia, but a necessity in today’s rapidly changing digital landscape. Phishing resistance in enrollment, authentication, and recovery processes is paramount to cultivating phishing-resistant users. This improves cybersecurity resilience, reduces reliance on reactive measures, and effectively protects sensitive data and operations. It all starts and ends with implementing state-of-the-art, highest-assurance hardware security keys and saying goodbye to passwords and other weak authentication methods for good.
We provide an overview of the best password managers for businesses.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: