The Latest Developments in Password Security

passkeys password security phishing-resistant MFA FIDO2 AiTM attacks
Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
June 23, 2026
6 min read

TL;DR

    • ✓ Traditional passwords and SMS codes provide zero protection against modern phishing attacks.
    • ✓ Adversary-in-the-middle attacks easily bypass standard MFA by hijacking session tokens in real-time.
    • ✓ Passkeys use asymmetric cryptography to ensure private keys never leave your physical device.
    • ✓ FIDO2 standards effectively eliminate the risk of server-side credential data breaches.

The password isn't just dying; it’s being dragged to the curb, kicking and screaming. By 2026, the idea that a "secret"—a string of characters tucked away in a user’s memory or a vulnerable database—can actually protect your company has become a dangerous fantasy. Complexity requirements? Password rotation policies? They’re just band-aids on a gaping wound.

We’ve moved into an era where identity is no longer about what you know. It’s about who you are and, more essentially, what hardware is in your pocket. If your organization is still clinging to legacy credentials as its primary line of defense, you’re basically leaving the front door unlocked. Attackers stopped trying to brute-force your passwords years ago. They’ve evolved. It’s time you did, too.

Why Traditional MFA Is Failing Your Business

For a decade, the industry has been preaching the gospel of Multi-Factor Authentication (MFA). But we’ve been playing a dangerous game of semantics. There is a massive, gaping "MFA Gap"—the distance between what IT teams think is secure and what attackers find trivial to bypass.

The biggest offender? SMS codes and one-time passwords (TOTP). They rely on transmitting a "shared secret." That transmission is the fatal flaw.

Enter Adversary-in-the-Middle (AiTM) attacks. Using toolkits like EvilGinx, hackers now sit as a transparent proxy between your user and the service they’re trying to reach. When the user logs in and types in their temporary code, the attacker snatches it in real-time. They hijack the session token, and your "protection" vanishes instantly.

If you look at the CISA Guidance on Phishing-Resistant MFA, the takeaway is blunt: if your authentication can be phished, it isn't true MFA. SMS and TOTP are essentially speed bumps. They offer zero cryptographic protection against a motivated hacker.

How Do Passkeys Actually Work?

To stop the bleeding, we have to ditch the concept of "secrets" entirely. This is where the FIDO2/WebAuthn standard comes in.

Think of a passkey as a digital credential built on asymmetric cryptography. When you register a passkey, your device does the heavy lifting: it creates a public and private key pair. The public key goes to the service provider. The private key? It stays locked inside your device’s secure enclave or TPM. It never leaves. Ever.

This blows up the server-side database theft model. If a hacker breaches a company’s identity provider, they’ll find a pile of public keys—useless, meaningless strings of data. They can’t impersonate anyone with that. To log in, the server sends a challenge; your device signs it with your private key. No codes to phish. No passwords to leak. No secrets to rotate. For a deeper look at the mechanics, the FIDO Alliance - Passkeys Explained provides the definitive technical breakdown of this transition.

The Quantum Threat: "Harvest-Now, Decrypt-Later"

While we’re busy fighting phishing, there’s a shadow looming: the quantum threat. Many CISOs brush this off as a "future problem." That’s a mistake. If your organization handles sensitive, long-lived data, the danger is right now.

It’s called "harvest-now, decrypt-later." Hackers are currently vacuuming up and storing massive amounts of encrypted traffic. They can’t read it today, but they’re betting on the arrival of quantum computers that will crack our current RSA and ECC standards like an egg.

If your data needs to stay private for five, ten, or twenty years, you are already exposed. The NIST Post-Quantum Cryptography Standards are your best defense, offering a roadmap for algorithms that won't crumble under the weight of future quantum computing power.

Preparing for the PQC Transition

Moving to Post-Quantum Cryptography (PQC) isn't a simple software patch. It’s an architectural overhaul. New NIST-standardized algorithms like ML-KEM and ML-DSA are computationally demanding and require different key sizes than the classics we’ve used for decades.

In 2026, IT departments need to stop treating this as a "maybe later" task. Start by auditing your digital signatures and key exchange protocols. If your infrastructure relies on legacy standards, you’re not just dealing with technical debt—you’re facing an existential risk. We are heading toward a reality where quantum-resistant key exchange isn't a luxury; it’s a baseline compliance requirement.

Identity Over Credentials: The New Paradigm

The end goal is to stop "managing passwords" and start managing verified identity. In a zero-trust model, authentication is tied to hardware and, ideally, biometric verification. We are moving the "trust anchor" from a sticky note on a monitor to the silicon inside your employee's laptop or phone.

When you invest in Enterprise Identity Management, you’re making a massive quality-of-life upgrade for your users. You’re removing the "MFA fatigue" and the endless password resets, all while tightening your security posture. It’s one of the few times in tech where you can actually improve user experience and security simultaneously.

Actionable Migration Path: How Do You Get There?

Don’t try to boil the ocean. A "big bang" migration will only lead to catastrophic downtime. Break it down into phases.

  1. Audit: If you can’t see it, you can’t protect it. Map every single authentication point, from your dusty on-premise apps to your shiny new SaaS tools.
  2. Prioritize: Start with the "keys to the kingdom"—your admins and privileged users. If you do nothing else, mandate FIDO2 hardware keys for them this year.
  3. Plan: Initiate a PQC readiness audit. Identify which data assets have a long shelf life and need shielding from future decryption.

If your team is buried in day-to-day tickets and lacks the bandwidth for a deep audit, bringing in Security Audit Services can bridge that gap. You need to ensure no legacy backdoors are left open while you’re busy upgrading the front entrance.

Conclusion: Future-Proofing for 2027 and Beyond

The shift toward phishing-resistant identity is a cultural shift as much as a technical one. We’ve treated passwords like a necessary evil for far too long. In 2026, we have the tools to make them a relic.

The organizations that survive the next few years will be the ones that accept the "shared secret" era is dead. Start your audit today. Secure your privileged accounts. Build an architecture that is as resilient as the threats you face. The future of security is cryptographic, it’s hardware-backed, and it’s waiting for you to flip the switch.

Frequently Asked Questions

Are passwords officially obsolete in 2026?

Passwords aren't "obsolete" in the sense that they’ve vanished from the planet—they often remain as a fallback. However, they are obsolete as a primary security control. If you’re still relying on them, you’re behind the curve.

Do I need to worry about quantum computers today?

Yes, if you handle long-lived sensitive data. Adversaries are already hoarding encrypted traffic, waiting for the day they can decrypt it. PQC readiness isn't a future concern; it’s an immediate data privacy requirement.

Is a passkey the same as a password manager?

No. A password manager is an attic where you store your old, insecure secrets. A passkey is a modern cryptographic protocol (FIDO2/WebAuthn) that removes the need for those secrets entirely.

Why is my SMS-based 2FA no longer considered safe?

Because it’s phishable. Modern phishing kits intercept SMS and TOTP codes in real-time. If an attacker can trick a user into entering a code on a fake site, the second factor provides exactly zero protection.

How do I begin the transition to phishing-resistant MFA?

Start with your highest-risk users: your admins. Deploy FIDO2-compliant hardware keys to them first. Once that’s locked down, expand to the rest of the organization in waves.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

password hashing

The Importance of Salt and Pepper in Cybersecurity

Learn how to protect your database from breaches using salt and pepper hashing. Discover why these techniques are essential for modern credential security.

By Divyansh Ingle June 24, 2026 6 min read
common.read_full_article
password strength

Is There a Guarantee of Password Strength?

Stop relying on outdated complexity rules. Discover why entropy and length beat character hacks in the age of post-quantum security and modern identity defense.

By Brandon Woo June 22, 2026 7 min read
common.read_full_article
Identity-First security

Navigating Passwords in the New Era of Computing

Static passwords are a liability in the age of AI and quantum computing. Learn why shifting to Identity-First frameworks and post-quantum security is essential.

By Edward Zhou June 20, 2026 6 min read
common.read_full_article
quantum computing

Implications of Quantum Computing on Password Security

Is quantum computing a threat to your passwords? Learn why 'Harvest Now, Decrypt Later' is the real danger and how to prepare with cryptographic agility.

By Brandon Woo June 19, 2026 7 min read
common.read_full_article