Microsoft is intensifying its push toward passwordless security, warning that traditional passwords and older forms of two-factor authentication are becoming increasingly ineffective against modern phishing attacks powered by artificial intelligence.
In a statement released during World Passkey Day, Microsoft said the cybersecurity industry must reduce dependence on passwords and other “phishable” login methods by accelerating the adoption of passkeys.
For years, technology companies encouraged users to strengthen account security by enabling two-factor authentication (2FA) or multi-factor authentication (MFA). Microsoft itself previously stated that MFA could block more than 99% of password-based attacks. However, cybercriminals have steadily adapted their tactics, particularly targeting SMS-based authentication systems through phishing pages, SIM-swapping schemes, session hijacking, and social engineering attacks.
The company now argues that passwords, even when paired with weak MFA methods like text-message verification codes, continue to leave accounts vulnerable. Microsoft described these older protections as “legacy” authentication methods that can still become entry points for attackers.
Instead, Microsoft is promoting passkeys, which rely on cryptographic authentication rather than memorized passwords. A passkey stores a private digital key directly on a user’s device and only works on the legitimate website or application where it was created. Access is then confirmed through biometric verification, such as fingerprints or facial recognition, or through a device PIN.
Security experts say this approach makes phishing significantly harder because passkeys cannot be reused on fake websites designed to imitate legitimate login pages. Unlike passwords or SMS codes, the authentication process is tied directly to the original domain.
Microsoft also stressed that enabling passkeys alone is not enough if passwords and fallback authentication methods remain active on accounts. According to the company, weak backup options can still be exploited even after stronger protections are introduced. Microsoft has therefore continued removing older authentication systems across its ecosystem, including plans to eliminate security questions from password reset flows beginning in 2027.
The urgency surrounding this transition has increased alongside the rapid growth of AI-generated phishing campaigns. Microsoft cited internal findings showing that AI-assisted phishing operations can achieve click-through rates as high as 54%, meaning more than half of targeted users may interact with malicious messages.
Industry-wide adoption of passkeys is also accelerating. The FIDO Alliance estimates that more than five billion passkeys are already in use globally. Microsoft said hundreds of millions of users now sign into services such as OneDrive, Xbox, and Copilot using passkeys every day.
Internally, Microsoft claims that over 99% of users within its environment now have access to phishing-resistant authentication methods. The company added that account recovery systems remain a critical security challenge because attackers increasingly target recovery processes instead of direct logins.
Researchers and government agencies are broadly supporting the move toward passwordless security. The United Kingdom’s National Cyber Security Centre recently encouraged organizations and consumers to adopt passkeys, citing growing risks from AI-driven phishing and phishing-as-a-service platforms.
Still, cybersecurity researchers caution that passkeys are not completely immune to att
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: