Why Passwords Are a Broken System
The fundamental problem with passwords is that they're a single secret shared between you and a server — and that server can be compromised. When LinkedIn, Dropbox, Adobe, or any of the dozens of major platforms that have suffered breaches leaked their user databases, every reused password across every other service became instantly vulnerable.
Credential stuffing — the automated testing of stolen username/password pairs across other sites — is now industrial scale. Attackers buy databases of billions of credentials for a few hundred euros and run them against your login page automatically. A "strong" password is completely irrelevant if it appeared in a previous breach from a different service.
Check whether your business email addresses have appeared in known breaches at haveibeenpwned.com. If they have, assume those passwords are compromised and change them immediately — across every service where they were reused.
The Authentication Spectrum: From Weak to Unbreakable
Not all second factors are equal. Here's a practical comparison of the most common authentication methods, from the weakest to the most phishing-resistant:
| Method | Phishing Resistant? | Ease of Use | Recommendation |
|---|---|---|---|
| Password only | No | Easy | Never use alone |
| SMS / Text code (OTP) | No — SIM-swappable | Easy | Better than nothing; avoid for high-risk accounts |
| Email OTP | No | Easy | Acceptable for low-risk accounts only |
| Authenticator app (TOTP) | Partial — can be phished in real-time | Easy | Good baseline; use for most accounts |
| Push notification (Duo, Okta) | Partial — MFA fatigue attacks exist | Very easy | Good; enable number matching to prevent fatigue attacks |
| Hardware token (YubiKey, FIDO2) | Yes — cryptographically bound | Easy once setup | Best for admin, finance, executive accounts |
| Passkeys (FIDO2/WebAuthn) | Yes — phishing-resistant by design | Very easy (biometric) | Best overall — adopt wherever supported |
What Are Passkeys and Why Do They Matter?
Passkeys are the future of authentication — and they're already here. A passkey is a cryptographic key pair stored on your device (phone, laptop, or security key). When you log in, your device proves your identity without ever sending a secret over the internet. There's nothing to phish, nothing to steal from a database, and nothing to reuse.
Major platforms now support passkeys: Google, Apple, Microsoft, GitHub, PayPal, and many more. When a site offers "Sign in with a passkey," your device authenticates you using biometrics (Face ID, fingerprint) or a PIN — with no password involved. This is the standard your high-risk accounts should be moving towards.
"Enabling MFA across all your accounts is the single highest-return security action any business can take. It blocks 99.9% of automated attacks at almost zero cost."
— James O'Brien, CTO, CyberCloakWhat Your Business Should Do Right Now
Enable MFA on every account, immediately — starting with email and cloud admin. Your email account is the master key to everything else (password resets go there). Microsoft 365 and Google Workspace both have MFA in settings. This is the most impactful action you can take today. Require it for every employee — don't make it optional.
Deploy a company password manager. 1Password, Bitwarden, and Dashlane for Teams all allow you to manage company credentials centrally. Every employee gets unique, complex, automatically-generated passwords for every service — and you maintain visibility and control. If someone leaves, you revoke their access without changing every shared password manually.
Upgrade your admin and finance accounts to hardware security keys. These are the accounts attackers most want — and the accounts where a breach is most catastrophic. FIDO2 hardware keys (YubiKey 5 series, roughly €50 each) provide phishing-proof authentication that cannot be bypassed even by sophisticated attacks.
Enable dark web monitoring for your company email domain. Services like HaveIBeenPwned's domain monitoring, or enterprise tools like SpyCloud and Enzoic, alert you when company credentials appear in breach databases. This gives you time to force password resets before attackers use them.
Implement Conditional Access or equivalent policies. Modern identity platforms (Microsoft Entra ID, Google Workspace, Okta) let you enforce context-aware authentication: block logins from unusual locations, require step-up authentication for sensitive actions, and automatically revoke sessions when anomalies are detected.
If you use push-notification MFA (Duo, Microsoft Authenticator), enable "number matching" or "additional context" features. Without these, attackers who have your password simply spam you with approval requests hoping you'll accidentally tap "Approve" to make them stop. This attack technique is responsible for several high-profile breaches including the Uber breach in 2022.
Building an Authentication Policy for Your Team
Technology is only half the solution. Your people need clear, simple rules to follow. An effective authentication policy doesn't need to be a lengthy document — it needs to answer a few key questions clearly for every employee:
- Which accounts require MFA? (Answer: all of them.)
- Which MFA method is approved? (Use authenticator app minimum; hardware key for admin.)
- How should passwords be managed? (Company password manager, generated passwords only.)
- What to do if you receive an unexpected MFA request? (Deny it immediately, report to IT.)
- What to do if you think your account is compromised? (Report immediately — no blame, fast action.)
Is Your Team's Authentication Actually Secure?
We'll assess your current authentication setup, identify the gaps that leave you exposed, and recommend the right tools and policies for your business — all in a free 60-minute session.