On the occasion of World Password Day, Sophos stresses the limits of passwords and knowledge-based authentication methods. Indeed, the sophisticated techniques, tactics, and procedures (TTPs) of cyber attackers in 2025 will enable them to easily circumvent traditional authentication methods. As such, the 2025 edition of Sophos’ Active Adversary report indicates that compromised credentials represent the leading cause of attack for the second year running (41% of cases). It is therefore essential that users and companies adopt more robust methods to protect their data against credential theft.
The limits of knowledge-based protection
Dual or multi-factor authentication (2FA/MFA) solutions are widely adopted. However, like the password, these additional layers of protection often rely on knowledge-based secret codes shared via SMS or authentication applications. Unfortunately, many of these methods remain vulnerable. Hackers now have tools at their disposal which, like evilginx2, make it easy to bypass these protections by automating phishing or stealing session cookies.
This means that the path of constantly postponing the moment when passwords become obsolete, through fragile additions, seems fraught with danger. The reality of the cyberthreat landscape should push companies towards a paradigm shift away from the password model and knowledge-based shared secrets.
WebAuthn and access keys: towards stronger multifactor authentication?
To protect against phishing, the WebAuthn protocol – which uses access keys or passkeys in particular – is now the subject of consensus among cybersecurity experts. With this method, when an account is created, a unique public/private cryptographic key pair is generated. These are then stored locally: on the site’s server for the public key, and on the user’s terminal for the private key, along with the site name and user ID.
To log in, the user no longer needs to enter a password or secret code shared via SMS or an authentication application. Instead, the server sends a digital authentication request that can only be resolved if the user is in physical possession of a device and can prove that he or she is the owner of the private key – through biometric verification, for example. Authentication is therefore still based on two factors, but these do not depend on the user’s knowledge, but on the physical possession of the device and the user’s own biometric characteristics. In principle, therefore, they cannot be stolen using conventional phishing methods.
What’s more, the authentication process includes a two-way check that enables the user to verify the identity of the service by means of the site domain, sent when the server requests authentication. Unlike methods that use knowledge-based passwords and secret codes, the user is no longer the only one required to prove his or her legitimacy.
Precautions to be taken to ensure robust, simplified authentication
This new industry standard, based on the FIDO2 standard, appears to offer proven protection against phishing – the main threat vector for credential theft – while simplifying authentication for users.
Nevertheless, while WebAuthn represents a major step forward, several vulnerabilities remain, and vigilance is still called for:
- It is imperative to ensure that the device or cloud where keys are stored is secure;
- The successful transition to WebAuthn requires buy-in and adoption by businesses and departments;
- The theft of session cookies remains an attack vector that would enable cyber-attackers to bypass this protection.
It is important to bear in mind that cybercriminals are constantly perfecting their attack methods. That’s why adopting these technologies should be a strategic cybersecurity priority for businesses today.
According to Chester Wisniewski, Director, Global Field CISO at Sophos: “We need to move away from reliance on passwords and shared secrets. Access keys or passkeys today represent the most robust solution for building a future without passwords, phishing and, hopefully, large-scale compromise.”
Discussion about this post