Did You Use a Password to Login Today? You’re Set Up for Failure!

A 5-minute reality check for executive leadership on modern authentication threats.

In support of Cybersecurity Awareness Month, we are spotlighting the critical areas where organizations must elevate their cybersecurity strategies for 2025 and beyond. The focus of this article is on combating modern authentication threats.

What you have been taught about authentication is wrong. It’s time to be clear about our limitations as humans: we are bad at making passwords and we haven’t learned our lesson after years of compromises on our most sensitive programs and infrastructure.

You have probably heard the following guidance from your IT and Cybersecurity allies working in your organization throughout the years:

• Don’t share your password with anybody
• Don’t store your password in a file on your desktop
• Don’t write down your password
• Make sure it can’t be easily guessed (avoid using team names, birthdays, derogatory words)
• Use a long password
• Use a passphrase and not a password

That guidance is now obsolete, because passwords themselves are being replaced by passwordless solutions that are more secure and save users valuable time during the authentication process.

Why Your Current MFA Method Is Fighting Yesterday’s War

To complicate the problem even further, the legacy Multi-Factor Authentication (MFA) methods that were designed to ensure you are who you say you are, have fallen victim to modern attacker methods that exploit weaknesses in the process.

• SMS Coders: SMS Codes can be intercepted through SIM swapping, but more commonly, they’re just captured and replayed by attacker-in-the-middle tools faster than you can blink.
• Authentication Apps: Authenticator app codes suffer the same fate. Once that six-digit number is entered on the attacker-in-the-middle fake site, it’s immediately used on the real site before it expires.
• Push Notifications: Push notifications are perhaps the most insidious because they’ve trained users to approve requests without thinking. When you get the same Microsoft Authenticator prompt you’ve seen hundreds of times before, your brain doesn’t register that you didn’t trigger the request.

The common thread isn’t just that these methods can be intercepted, it’s that they’re designed around the assumption that the user is talking directly to the legitimate service.

Simply put, when an attacker inserts themselves into that conversation, the entire security model collapses.

The Anwer to Your Problems: Phishing-Resistant Passwordless Authentication

Here’s where the story gets better. The technology to solve this problem already exists, and you’re probably already paying for it without realizing its full potential. The beauty of phishing resistant authentication solutions is that they don’t require users to make better security decisions. They make man-in-the-middle attacks technically impossible with current technology, regardless of how convincing the phishing attempt might be.

• Windows Hello for Business: This turns your employees’ faces, fingerprints, or PINs into cryptographic keys that are cryptographically infeasible to intercept or replay. When an attacker tries their man-in-the-middle attack against someone using Windows Hello, the authentication simply fails because the cryptographic response is tied to the legitimate domain and can’t be redirected.
• Microsoft Authenticator Passwordless: This works similarly. Instead of generating a code that can be captured, it creates a unique cryptographic signature for each login attempt that only works for the specific service being accessed. An attacker can create the most convincing fake Microsoft login page in the world, but the passwordless authentication will recognize it as fake and refuse to work.
• Hardware Security Keys: Hardware keys, like YubiKeys, provide the same improved protection mechanisms, though they require additional hardware investment and can be more complex to manage at scale.

The Authorities Are No Longer Subtle About This

This isn’t just vendor marketing talk. Microsoft, Google, and CISA have all moved beyond recommending phishing-resistant authentication. They’re now explicitly stating that traditional MFA is insufficient for modern threats.

Microsoft’s own security team published data showing that their employees using security keys had zero successful phishing attacks over an 18-month period. Zero. Not “fewer attacks” or “reduced impact,” but complete elimination of successful credential-based attacks.

Google reported similar results across their workforce, noting that phishing-resistant authentication didn’t just reduce attacks, it made entire categories of attacks impossible.

CISA has been the most direct. Their recent memoranda don’t dance around the issue: they explicitly state that SMS, voice calls, and push notifications “do not provide adequate security against sophisticated attacks” and mandate phishing-resistant methods for federal agencies. When the agency responsible for protecting critical infrastructure says your security method isn’t good enough, it’s time to listen.

Getting Started Without Disrupting Operations

The path forward doesn’t require ripping out your existing infrastructure. Modern identity platforms support multiple authentication methods simultaneously, allowing you to migrate gradually while maintaining business continuity.

So where can you start? Start with your highest-risk users including executives, IT administrators, and any users with access to financial systems or sensitive data. These users are most likely to be targeted by threat actors and can often cause the most damage if compromised.

• Leverage What you Already own: If you’re using Microsoft 365 and Windows devices, Windows Hello for Business can be deployed without additional licensing costs. For organizations with mixed environments, Microsoft Authenticator Passwordless provides similar protection across platforms.
• Plan for User Adoption: While these methods are often easier to use than traditional MFA, change management remains crucial. Users need to understand not just how to use the new system, but why it matters.

Three Questions Your Technology Leaders Should Be Able to Answer

The next time you meet with IT leadership, ask them:

1. What percentage of our security incidents started with compromised credentials?
2. Are we using the most secure form of authentication for the applications we use every day?
3. Which users in our organization are most likely to be targeted by sophisticated phishing campaigns?

These questions will lead your IT leadership to the most secure path–a path without passwords.

The Window Is Closing

Here’s the reality that keeps cybersecurity professionals awake at night: attacker-in-the-middle toolkits are becoming more sophisticated and more accessible every month. What required advanced technical skills two years ago can now be purchased as a service for a few hundred dollars.

The organizations that recognize this shift and act proactively will maintain their competitive advantage and avoid becoming cautionary tales. Those that wait for a successful attack to drive change will find themselves implementing these solutions under pressure, often while simultaneously dealing with breach response, regulatory scrutiny, and customer trust issues.

Your current MFA was a significant step forward when you implemented it. Phishing-resistant authentication represents the same magnitude of improvement over traditional MFA, that MFA represented over passwords alone. The difference is that this time, we know what we’re defending against, and we have solutions that work.

Technology exists today in products you likely already own. The business case is clear. The regulatory pressure is building. The only question left is whether you’ll make this transition on your timeline or someone else’s.

This article is part of a series highlighting the critical areas where organizations must elevate their cybersecurity strategies for 2025 and beyond. Additional articles include:

• AI Governance in 2025: 3 Key Strategies to Protect Your Business and Stay Compliant
• 5 Things Companies Wish They Did Before a Breach

How Can Schneider Downs Help?

If you have any questions about assessing and strengthening your organization’s cybersecurity program, contact our team at [email protected].

About Cybersecurity Awareness Month

Since 2004, the United States and Congress have recognized October as Cybersecurity Awareness Month to raise awareness about the importance of cybersecurity in the public and private sectors and tribal communities. With a focus on securing our world, Cybersecurity Awareness Month recognizes the importance of taking daily action to reduce risks when online and connected to devices.

Related Resources

• CISA Cybersecurity Awareness Month Resource Center
• CISA Cybersecurity Awareness Month 2025 Toolkit
• Schneider Downs Cybersecurity Resource Library

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.