Passwords are the Weakest Link in a Phishing-First World

Opinion

Written by

Photo of Jan Bee

Jan Bee

CISO, TeamViewer

Most modern breaches begin with stolen credentials. In many cases, the route in is surprisingly simple.

An employee receives a convincing message linking to what appears to be a legitimate login page. The branding looks right and the process feels familiar. The employee enters their username and password. A Multi-Factor Authentication (MFA) push notification appears and is approved, often in a moment of distraction. Behind the scenes, a session token is captured and reused, allowing the attacker to gain access without exploiting a single software vulnerability.

Ready-made phishing toolkits allow attackers to launch convincing campaigns quickly and repeatedly, while AI helps them refine language and mimic tone with minimal effort. Techniques for bypassing MFA are openly shared and repackaged. Yet passwords remain the primary line of defence for access to critical systems in many organisations.

The gap between modern attack methods and legacy authentication controls continues to widen.

Built for a Different Era

Passwords were created for a very different environment – one where users worked within defined networks on managed devices, typically within office walls.

Today, work happens everywhere. Employees connect from home networks and personal devices, often working across locations and borders. Cloud applications have replaced many internal systems, and remote access has expanded the number of potential entry points.

Organisations have responded by tightening password rules, shortening reset cycles and layering on MFA and conditional access policies. These measures generate useful signals and introduce friction, but the underlying weakness remains: if a password is captured, it still has value.

And in practice, capturing it is rarely difficult.

This is not an abstract problem. In TeamViewer’s 2025 Digital Friction research, 80% of employees reported authentication problems in the past year, including password issues and lockouts. This is exactly the kind of friction that drives risky workarounds and weakens control.

The Illusion of Control

Password policy has long been seen as a basic safeguard. In reality, it often creates extra work without meaningfully reducing risk.

Frequent resets and complex composition rules shape user behaviour in predictable ways. People write passwords down, reuse slight variations across different systems or store them in unsecured files. Phishing pages continue to capture them at scale, while service desks deal with a steady stream of lockouts and reset requests.

Additionally, entering the correct password only proves that the right string of characters was typed; it does not confirm whether the device is trusted or whether the session is being routed through malicious infrastructure.

In a software-as-a-service environment with distributed teams and extensive third-party access, this model becomes increasingly fragile. Logins happen constantly, each carrying context that must be assessed in real time. Yet passwords provide little insight into that wider risk picture.

Identity as the Control Plane

Network boundaries no longer define enterprise security. Identity now carries that weight.

Every user account is a potential doorway into the organisation, and every device used to log in introduces a degree of uncertainty. When access is shared across partners or external platforms, that circle of trust widens further. It is therefore unsurprising that attackers concentrate on identity. Rather than attempting to break through hardened infrastructure, they look for ways to take control of legitimate sessions or manipulate authentication flows to gain access.

Centralised identity platforms help rationalise access, but they often inherit legacy authentication factors. A single vulnerable pathway can undermine an otherwise mature environment, particularly where service accounts, unmanaged devices or application exceptions are involved.

For security leaders, this shift reframes the conversation. Identity strategy now underpins detection, response and governance. If authentication can be replayed or proxied, visibility into risk will always be incomplete.

The issue is no longer whether passwords are flawed, but whether they are fit for today’s threat environment.

Removing the Shared Secret

Phishing-resistant authentication tackles the problem by removing the reusable secret altogether.

Passkeys and device-bound credentials do not transmit passwords across the network. Instead, they rely on cryptographic keys stored securely on a user’s device. When logging in, the device proves its identity without sending anything that can be copied or reused, while biometrics such as fingerprint or facial recognition confirm the authorised user is present.

With no shared secret to intercept, adversary-in-the-middle attacks lose much of their effectiveness. Credential stuffing and password spraying become irrelevant where passwords no longer exist.

Adoption does require thoughtful planning, particularly in environments where legacy systems still depend on traditional credentials. Moving beyond passwords is not only a technical change, but a behavioural one. Employees need clarity about why authentication is evolving and how new methods will affect their daily routines. With clear communication and practical support, resistance tends to give way to familiarity.

Over time, phishing-resistant authentication creates a more consistent and resilient approach to access. It also strengthens everyday operations. Users no longer have to memorise complex strings or manage frequent resets, account recovery becomes more straightforward, and security teams can focus their attention on device trust and lifecycle management rather than password policy enforcement.

A Resilience Consideration

Authentication weaknesses affect more than the point of entry, as they also influence how quickly an organisation can regain control once an incident begins to unfold.

When attackers gain access through stolen credentials, it is often difficult to determine how far they have moved or which sessions can still be trusted. Confidence in identity signals erodes. Containment frequently involves widespread password resets and session revocations, creating disruption at precisely the moment clarity and stability are most needed.

Strengthening authentication before an incident occurs is therefore central to resilience. Reducing reliance on passwords and introducing phishing-resistant methods, such as passkeys or hardware-backed credentials tied to managed devices, limits the usefulness of stolen credentials and reduces uncertainty during response.

Instead of relying on something a person knows, these approaches rely on the security of the device itself, providing a stronger and more dependable foundation for trust.

Passwords remain widespread because they are familiar and easy to deploy. Yet in a threat landscape centred on identity capture, reusable secrets introduce unnecessary exposure, particularly as remote connectivity and third-party access expand the number of pathways into critical systems.

Moving beyond passwords is a redefinition of how trust is established across distributed environments. As AI accelerates the scale and precision of identity-based attacks, authentication must evolve accordingly. Those that eliminate the reusable secret will be better positioned to strengthen resilience and meet rising expectations from regulators, customers and stakeholders alike.

You may also like

  1. NCSC: Twitter Users Should Find MFA Alternatives

    News

  2. #CyberMonth: Staying Cyber Secure in an Increasingly Hostile Digital Environment

    Opinion

  3. Rising AI-Fueled Phishing Drives Demand for Password Alternatives

    News

  4. MFA Bypass: The Next Frontline for Security Pros

    News Feature

  5. CISA Publishes Multi-Factor Authentication Guidelines to Tackle Phishing

    News

What’s Hot on Infosecurity Magazine?