Skip to main content

World Password Day lands on 7th May this year. It’s a useful reminder to review how we protect our online accounts, but the key point is that modern account security is no longer just about choosing a strong password. 

These days attackers don’t only guess passwords, they steal them through phishing, reuse them from breaches, or trick people into approving sign-in prompts. That’s why the best advice is to layer your defences by using multi-factor authentication (MFA) and where possible, switch to phishing resistant sign-in methods like passkeys. 

 

The Baseline: Multi-factor authentication 

Multi-factor authentication (MFA) means you need more than one form of proof to sign-in, typically a password plus something else (e.g. a code or device-based approval). This matters because even strong password can be stolen, reused, or guessed, and MFA makes it harder for criminals to log in using a password alone. 

Organisations have consistently been urged to implement MFA broadly because it reduces the chances of account takeover when passwords or PINs are compromised. However, it’s important to remember that MFA isn’t one single thing, and some types are significantly stronger than others. 

Where to start:

If you’re an organisation or and individual, start by protecting the accounts that can unlock everything else: 

  • Email accounts first: password resets often flow through email 
  • Admin/high privilege accounts: they can change settings and access many systems 
  • Financial accounts and cloud services: the impact of compromise is immediate and widespread 

The practical way of using MFA:  

To keep things accessible, you can frame MFA choices like this: 

  • Best: phishing resistant sign-in methods (e.g. passkeys/security keys) 
  • Good: app-based authenticator with strong anti-phishing features 
  • Last resort: SMS codes (they can be intercepted and SIM-swapped) 

 

Phishing-Resistant MFA: Why some MFA is still vulnerable 

Why not all MFA is equal:  

A common misunderstanding is that if you have MFA then you’re safe. Attackers actively target the sign-in process, and some MFA methods can be phished, relayed, or pressured out of users. 

Common techniques that can defeat weaker MFA: 

  • Phishing: tricking someone into entering their password and their one-time code into a fake login page 
  • Push bombing/fatigue: repeatedly sending approval prompts until someone taps “approve” to make them stop 
  • SIM swap/phone takeover: intercepting SMS codes by hijacking a phone number 
  • Man-in-the-Middle (MiTM): where criminals relay logins in real-time to capture session tokens/codes 

What is phishing-resistant MFA? 

Phishing-resistant authentication is designed so that even if you’re tricked into trying to long in on a fake site, the authentication won’t work for the attacker. 

In practice, the most common options are: 

  • Passkeys: a modern, device-based sign-in method 
  • Security keys: hardware or device-based cryptographic sign-in 

 

Passkeys: What are they, why they help, how to adopt safely 

What is a passkey? 

A passkey is a modern sign-in credential based on FIDO standards that lets you log in using the same method you use to unlock your device, for example, a fingerprint, facial recognition, or a PIN. You don’t type a password, and there’s no one-time code to copy over.  

Why passkeys are considered phishing-resistant:

Passkeys significantly reduce the risk of classic phishing attempts because there’s no password to type into a fake page and no reusable secret for a criminal to steal and replay. Organisations state that passkeys are phishing-resistant and secure by design, providing protection against risks like phishing and credential stuffing and removing the burden of remembering/typing secrets.  

Passkeys + MFA:

  • MFA: adds a second step 
  • Passkeys: a better sign-in method that can replace passwords on supported services 

Passkeys can allow sign-in without entering usernames/passwords or additional factors, because the authentication is handled securely through the devices, that’s why many organisations treat passkeys as the next step beyond traditional MFA. 

 

Practical Guidance 

If you only do three things this World Password Day:

  1. Turn on MFA for your most important accounts. 
  2. Use passkeys where available. Look for prompts like “use a passkey” or “sign in with your device” 
  3. Use a password manager to create unique passwords where passkeys aren’t yet available. 

For organisations:

  1. Prioritise stronger sign-in for admin accounts, remote access, and email, then expand. 
  2. Move toward phishing-resistant MFA. 
  3. Plan for account recovery. Strong sign-in is only useful if recovery processes aren’t the weak link. 

 

Downloadable documents

World Password Day Infographic (PDF)

 

Read our guidance for more information about MFA and Passkeys

Topics

  • Security
  • World Password Day
  • Passwords
  • Passkeys