As the world marks World Password Day, cybersecurity firm Sophos has stressed the limits of passwords and knowledge-based authentication methods.
Indeed, the sophisticated techniques, tactics, and procedures (TTPs) of cyber attackers in 2025 will enable them to easily circumvent traditional authentication methods. As such, the 2025 edition of Sophos’ Active Adversary report indicates that compromised credentials represent the leading cause of attack for the second year running (41% of cases). It is therefore essential that users and companies adopt more robust methods to protect their data against credential theft.
The Limits of Knowledge-Based Protection
Dual or multi-factor authentication (2FA/MFA) solutions are widely adopted. However, like the password, these additional layers of protection often rely on knowledge-based secret codes shared via SMS or authentication applications. Unfortunately, many of these methods remain vulnerable. Hackers now have tools at their disposal which, like evilginx2, make it easy to bypass these protections by automating phishing or stealing session cookies.
This means that the path of constantly postponing the moment when passwords become obsolete, through fragile additions, seems fraught with danger. The reality of the cyberthreat landscape should push companies towards a paradigm shift away from the password model and knowledge-based shared secrets.
Webauthn and Access Keys: Towards Stronger Multifactor Authentication?
To protect against phishing, the WebAuthn protocol – which uses access keys or passkeys in particular – is now the subject of consensus among cybersecurity experts. With this method, when an account is created, a unique public/private cryptographic key pair is generated. These are then stored locally: on the site’s server for the public key, and on the user’s terminal for the private key, along with the site name and user ID.
To log in, the user no longer needs to enter a password or secret code shared via SMS or an authentication application. Instead, the server sends a digital authentication request that can only be resolved if the user is in physical possession of a device and can prove that he or she is the owner of the private key – through biometric verification, for example. Authentication is therefore still based on two factors, but these do not depend on the user’s knowledge, but on the physical possession of the device and the user’s own biometric characteristics. In principle, therefore, they cannot be stolen using conventional phishing methods.
What’s more, the authentication process includes a two-way check that enables the user to verify the identity of the service by means of the site domain, sent when the server requests authentication. Unlike methods that use knowledge-based passwords and secret codes, the user is no longer the only one required to prove his or her legitimacy.
Precautions To Be Taken to Ensure Robust, Simplified Authentication
This new industry standard, based on the FIDO2 standard, appears to offer proven protection against phishing — the main threat vector for credential theft — while also simplifying authentication for users. However, although WebAuthn represents a significant advancement, several vulnerabilities remain, and continued vigilance is necessary. It is crucial to ensure that the devices or cloud environments where authentication keys are stored are properly secured.
In addition, the successful transition to WebAuthn depends on strong buy-in and widespread adoption by businesses and departments. Despite these improvements, the theft of session cookies remains a potential attack vector that could allow cyber-attackers to bypass these new protections.
It is important to bear in mind that cybercriminals are constantly perfecting their attack methods. That’s why adopting these technologies should be a strategic cybersecurity priority for businesses today.
According to Chester Wisniewski, Director, Global Field CISO at Sophos: “We need to move away from reliance on passwords and shared secrets. Access keys or passkeys today represent the most robust solution for building a future without passwords, phishing and, hopefully, large-scale compromise.”
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
