Dubai, United Arab Emirates – April 28, 2025 – On the occasion of World Password Day, Sophos, a global leader of innovative security solutions for defeating cyberattacks, stresses the limits of the password and knowledge-based authentication methods. Indeed, the sophisticated techniques, tactics, and procedures (TTPs) of cyber attackers in 2025 will enable them to easily circumvent traditional authentication methods. As such, the 2025 edition of Sophos’ Active Adversary report indicates that compromised credentials represent the leading cause of attack for the second year running (41% of cases). It is therefore essential that users and companies adopt more robust methods to protect their data against credential theft. 

The limits of knowledge-based protection

Dual or multi-factor authentication (2FA/MFA) solutions are widely adopted. However, like the password, these additional layers of protection often rely on knowledge-based secret codes shared via SMS or authentication applications. Unfortunately, many of these methods remain vulnerable. Hackers now have tools at their disposal which, like evilginx2, make it easy to bypass these protections by automating phishing or stealing session cookies.

This means that the path of constantly postponing the moment when passwords become obsolete, through fragile additions, seems fraught with danger. The reality of the cyberthreat landscape should push companies towards a paradigm shift away from the password model and knowledge-based shared secrets.

WebAuthn and access keys: towards stronger multifactor authentication?

To protect against phishing, the WebAuthn protocol – which uses access keys or passkeys in particular – is now the subject of consensus among cybersecurity experts. With this method, when an account is created, a unique public/private cryptographic key pair is generated. These are then stored locally: on the site’s server for the public key, and on the user’s terminal for the private key, along with the site name and user ID. 

To log in, the user no longer needs to enter a password or secret code shared via SMS or an authentication application. Instead, the server sends a digital authentication request that can only be resolved if the user is in physical possession of a device and can prove that he or she is the owner of the private key – through biometric verification, for example. Authentication is therefore still based on two factors, but these do not depend on the user’s knowledge, but on the physical possession of the device and the user’s own biometric characteristics. In principle, therefore, they cannot be stolen using conventional phishing methods.

What’s more, the authentication process includes a two-way check that enables the user to verify the identity of the service by means of the site domain, sent when the server requests authentication. Unlike methods that use knowledge-based passwords and secret codes, the user is no longer the only one required to prove his or her legitimacy.

Precautions to be taken to ensure robust, simplified authentication

This new industry standard, based on the FIDO2 standard, appears to offer proven protection against phishing – the main threat vector for credential theft – while simplifying authentication for users.

Nevertheless, while WebAuthn represents a major step forward, several vulnerabilities remain, and vigilance is still called for:

• It is imperative to ensure that the device or cloud where keys are stored is secure;
• The successful transition to WebAuthn requires buy-in and adoption by businesses and departments;
• The theft of session cookies remains an attack vector that would enable cyber-attackers to bypass this protection.

It is important to bear in mind that cybercriminals are constantly perfecting their attack methods. That’s why adopting these technologies should be a strategic cybersecurity priority for businesses today.

According to Chester Wisniewski, Director, Global Field CISO at Sophos: “We need to move away from reliance on passwords and shared secrets. Access keys or passkeys today represent the most robust solution for building a future without passwords, phishing and, hopefully, large-scale compromise.”

About Sophos

Sophos is a global leader and innovator of advanced security solutions for defeating cyberattacks. The company acquired Secureworks in February 2025, bringing together two pioneers that have redefined the cybersecurity industry with their innovative, native AI-optimized services, technologies and products. Sophos is now the largest pure-play Managed Detection and Response (MDR) provider, supporting more than 28,000 organizations. In addition to MDR and other services, Sophos’ complete portfolio includes industry-leading endpoint, network, email, and cloud security that interoperate and adapt to defend through the Sophos Central platform. Secureworks provides the innovative, market-leading Taegis XDR/MDR, identity threat detection and response (ITDR), next-gen SIEM capabilities, managed risk, and a comprehensive set of advisory services. Sophos sells all these solutions through reseller partners, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) worldwide, defending more than 600,000 organizations worldwide from phishing, ransomware, data theft, other everyday and state-sponsored cybercrimes. The solutions are powered by historical and real-time threat intelligence from Sophos X-Ops and the newly added Counter Threat Unit (CTU). Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.