Passwords, Passkeys, and Pitfalls

A weak password can be all it takes to bring down a business. After more than two decades in cybersecurity, I’ve seen how a single stolen login can lead to reputational damage, financial loss, and compliance nightmares.

Over the years, we’ve tried to make passwords more secure by making them longer, more complex, and harder to guess. But in my opinion, we were just delaying the inevitable. Passwords alone cannot be the long-term solution to secure authentication. One of the biggest challenges is that we leave password management up to people.

Just recently, a researcher discovered that a job screening application used by McDonald’s had a hardcoded password of “123456”. That tiny flaw opened the door to deeper vulnerabilities and potentially exposed millions of job applicants’ personal information. It’s a perfect example of how one small oversight in authentication can have massive consequences.

A Brief History

In the mid-2000s, RSA helped popularize hardware-based two-factor authentication with its SecurID tokens. These small devices displayed a random number that changed every minute. To log in, users had to enter both a password and the token code.

Unfortunately, in 2011, RSA was compromised through a phishing attack. That breach gave attackers enough information to predict token codes, proving that even strong authentication methods can fail if the systems behind them are vulnerable.

Around the same time, multi-factor authentication (MFA) and biometrics began gaining traction. Apple introduced Touch ID. Google and Facebook began offering MFA to users. But passwords were still the default method, and high-profile breaches continued to highlight the need for something better.

By 2016, SMS-based two-factor authentication had become popular. It was familiar and easy to deploy, and mobile devices were already in everyone’s pockets. Unfortunately, attackers soon found ways to intercept these codes, and SMS is now considered one of the least secure MFA options available today. Still better than passwords alone, but not good enough.

Biometrics offered the next big leap. In 2017, Apple followed up Touch ID with Face ID, a move that made facial recognition mainstream. But biometrics alone didn’t solve the larger problem, which is the fragmented, inconsistent way we authenticate across apps and devices. Users still had to juggle multiple logins, remember passwords, and deal with apps that didn’t support biometrics at all. Worse, biometrics are often just an extra layer used with passwords, not instead of them.

Before biometrics, PINs (Personal Identification Numbers) had already become a standard way to verify identity, starting with ATMs in the 1960s and later expanding to mobile phones and smart devices. While they’re not flashy, PINs are still an essential part of modern authentication. In fact, many biometric systems rely on a PIN as a backup or additional verification.

Confusion and Progress

As the number of apps and online services exploded, so did the complexity of managing login credentials. People now juggle dozens, sometimes hundreds, of logins, each with different rules, MFA methods, and password requirements. One site might use Face ID, another might text you a code, and another still might require an authenticator app. Almost all of them still require a password as well. Password manager apps have become a popular way to help people keep track of everything.

Authentication has become a confusing maze. With so many login methods and inconsistent support across platforms, it’s no wonder people are overwhelmed. And when people get overwhelmed, they take shortcuts such as reusing passwords, skipping MFA, or ignoring security altogether.

Now we’re seeing the rise of something called passkeys which is a way to log into apps and websites without a password! Instead of typing a password, you use your fingerprint, face, or a PIN stored securely on a device you own. They represent another attempt to reduce complexity and improve security, but they aren't without limitations and certainly aren't a final answer. But like everything else, they come with trade-offs, like the risk of losing access if you lose your device or it isn’t backed up.

What’s Next?

We haven’t solved the authentication problem yet. The lack of a single, consistent standard has led to fragmentation and growing user fatigue. Still, we can make progress by focusing on solutions that are simple, secure, and human-friendly. Passkeys may be a step in that journey. And although it’s not a destination, it is a sign we’re heading in the right direction.

So, what can you do right now while we wait for the next breakthrough in authentication?

·         Avoid SMS-based MFA unless it is your only option. Use an authenticator app instead.

·         Use a password manager to store strong, unique passwords.

·         Start exploring passkeys on accounts that support them (like Google or Apple ID).