Passwords are build for best-case scenarios, not the real world.

Written By Meha Bouazizi

Passwords were never built to handle the scale, speed, and sophistication of today’s internet. They rely entirely on the user’s skill, and hat’s a problem. We shouldn’t expect all employees to be cybersecurity experts.

Passwords are flawed by design

Using a password assumes:

  • You’ve created something complex and unique

  • You’ll remember it (or store it somewhere secure)

  • You’ll never use the same one on more than one service ( I know right.. )

  • You’ll spot phishing attempts before it’s too late

The whole system is built on best-case scenarios.

The model hasn’t changed much since the 1960s. The threats have. Credential stuffing, phishing, brute-force attacks: most security breaches capitalize on human error : a password, because it is still the weakest link in cybersecurity.

Two-factor isn’t bulletproof

Adding two-factor authentication helps, but it doesn’t solve the core problem. One-time codes sent by SMS or push notifications still depend on the same weak foundation: passwords. And they’re still vulnerable to phishing, spoofing, and interception.

In short, you can strengthen the lock, but if you leave the key under the mat, it doesn’t really matter.

Passkeys don’t play along.

Here’s where hardware-based authentication, and specifically FIDO2, changes things.

FIDO2 keys don’t rely on shared secrets. Instead, they use public-key cryptography, which means:

  • The private key stays on your device

  • There’s no password to steal, leak, or guess

  • The key won’t authenticate a fake page, because it can’t engage with a fake address.

    This example on our Instagram account should explain the situation better:
    https://www.instagram.com/p/C1HFBh0tdWz/?img_index=1

It doesn’t matter how convincing the phishing site looks. If it’s not the real thing, the key won’t work.

It’s not just another layer; it’s a different architecture.

Instead of trusting users to spot threats, FIDO2 is responsible for detecting whether or not the service is legitimate, so that you never type your credentials into the fake service.

How it works:

When you register your FIDO2 key with a service, say, your online banking site, the key and the site exchange cryptographic credentials in a process often referred to as a handshake. The key stores a unique identifier tied to the domain it’s registered to. Later, if you attempt to log in to a site that merely looks like your bank but isn’t hosted on the same domain, the key won’t respond.

You use your key, and the website has to prove it’s legitimate. Only then is authentication allowed.

A better standard

There’s a better model on the table, and it's already supported by major platforms and browsers. It’s secure by default, and designed for the real world: where phishing exists, people reuse passwords, and mistakes happen.

Hardware-based authentication isn’t a niche solution. It’s going to be the default.

Meha Bouazizi
Next

Passwords weren’t built for today’s internet. Passkeys are.