You type a password into a box. The system decides if you’re you. That interaction — authentication — is the single most attacked surface in all of computing. Every breach that starts with “compromised credentials” is an authentication failure. Every phishing email is an attempt to steal an authentication factor. Every credential stuffing attack is someone weaponizing the fact that you used the same password on LinkedIn and your bank.

Authentication is the front door. And for decades, we’ve been building that door out of cardboard.

The TLDR

Authentication is how a system verifies you are who you claim to be. The three classic factors are something you know (passwords), something you have (tokens, phones, hardware keys), and something you are (biometrics). Passwords alone are broken — credential stuffing, phishing, and weak hashing have made single-factor password auth a liability. Multi-factor authentication (MFA) layers additional factors on top, dramatically reducing compromise risk. TOTP apps are good. Hardware security keys and FIDO2/WebAuthn are better — they’re phishing-resistant by design. Passkeys, built on FIDO2, are the industry’s attempt to finally kill the password. The transition is messy, but the direction is clear. NIST SP 800-63B is the authoritative guide on digital identity authentication, and it formally deprecated SMS-based 2FA back in 2017 for a reason.

The Reality

The average person reuses passwords across 5-7 sites. When one of those sites gets breached — and they will, because Have I Been Pwned tracks over 13 billion compromised accounts — those credentials get fed into automated tools that try them against every major service. This is credential stuffing, and it works terrifyingly well. Akamai reported billions of credential stuffing attempts per year across their network. It’s not sophisticated. It’s not clever. It’s just volume, and it works because folks keep using Fluffy2019! everywhere.

The password itself was never a great idea. Fernando Corbató, who invented the computer password in the early 1960s at MIT, later called them “a nightmare” and admitted the system was never designed to be secure. We built the entire digital identity infrastructure on a mechanism its own creator regretted. And here we are, sixty years later, still typing secrets into boxes and hoping for the best.

MFA changed the math. Even if your password is compromised, an attacker needs your second factor. Google reported that adding SMS verification blocked 100% of automated bot attacks, 96% of bulk phishing, and 76% of targeted attacks. Hardware security keys blocked 100% across all categories. The numbers are unambiguous — MFA works. The problem is getting folks to turn it on.

How It Works

Password Hashing — Storing Secrets Without Storing Secrets

When you create an account, the system shouldn’t store your password. It should store a hash of your password — a one-way mathematical transformation that produces a fixed-length output. When you log in, the system hashes what you typed and compares it to the stored hash. Match? You’re in. No match? Try again.

But not all hashing is equal. MD5 and SHA-1 are fast hashes — they were designed for checksums, not passwords. An attacker with a GPU can compute billions of MD5 hashes per second. That’s why password hashing needs to be deliberately slow.

bcrypt was the first widely-adopted password-specific hash. It includes a configurable cost factor — crank it up and each hash takes longer to compute, making brute force impractical. scrypt added memory-hardness, making GPU attacks more expensive by requiring large amounts of RAM. Argon2id is the current champion, winning the Password Hashing Competition in 2015. It’s memory-hard, time-hard, and resistant to both GPU and ASIC attacks. OWASP’s Password Storage Cheat Sheet recommends Argon2id as the first choice, with bcrypt as the fallback.

Salting is non-negotiable. A salt is a random value added to the password before hashing. Without it, two people with the same password produce the same hash, and precomputed rainbow tables can crack them instantly. Every modern hashing library handles salting automatically, but legacy systems still get this wrong.

The Three Factors

Authentication factors come in three categories, and this taxonomy hasn’t changed since the 1990s:

True multi-factor authentication combines factors from different categories. A password plus a security question is NOT MFA — both are “something you know.” A password plus a TOTP code from your phone is MFA — knowledge plus possession.

TOTP and HOTP — The Codes on Your Phone

TOTP (Time-based One-Time Password) is the six-digit code your authenticator app generates. It’s defined in RFC 6238. The server and your app share a secret key during setup (that QR code you scan). Every 30 seconds, both sides feed the current time and the shared secret into HMAC-SHA1 and produce the same code. The code is valid for one time step (usually 30 seconds, with a small window for clock drift).

HOTP (HMAC-based One-Time Password), defined in RFC 4226, uses a counter instead of time. Each time you authenticate, the counter increments. HOTP is simpler but has resynchronization issues if the counter gets out of step.

TOTP apps (Google Authenticator, Authy, Microsoft Authenticator, Aegis) are a massive improvement over SMS. They work offline, they can’t be SIM-swapped, and they don’t traverse the phone network. But they’re not phishing-proof — if you type a TOTP code into a fake login page, the attacker has 30 seconds to replay it against the real site. That’s enough.

FIDO2 and WebAuthn — The Phishing-Proof Standard

FIDO2 is the protocol that might actually end passwords. It’s a joint effort between the FIDO Alliance and the W3C, and it works fundamentally differently from passwords and TOTP.

When you register a FIDO2 credential with a site, your authenticator (hardware key or platform authenticator) generates a unique public/private key pair for that site. The private key never leaves the authenticator. During login, the site sends a challenge, the authenticator signs it with the private key, and the site verifies the signature with the public key.

Here’s why it’s phishing-proof: the authenticator cryptographically binds the credential to the site’s origin (domain). If you’re on evil-bank.com instead of real-bank.com, the authenticator won’t find a matching credential and won’t sign anything. The phishing site gets nothing. This isn’t a warning you can click through — it’s a cryptographic impossibility.

Hardware security keys like YubiKeys are the gold standard. They’re dedicated devices that store credentials in tamper-resistant hardware. They can’t be malware-infected because they have no general-purpose operating system. Google deployed YubiKeys to all 85,000+ employees in 2017 and reported zero successful phishing attacks afterward. Zero.

Passkeys — FIDO2 for Everyone

Passkeys are the consumer-facing implementation of FIDO2. Apple, Google, and Microsoft have all shipped passkey support across their platforms. Instead of a hardware key, the credential lives in your device’s secure enclave (TPM on Windows, Secure Enclave on Apple, Titan chip on Pixel). Passkeys can sync across devices via iCloud Keychain, Google Password Manager, or third-party managers like 1Password and Bitwarden.

The user experience: you go to a site, click “sign in with passkey,” and authenticate with your device biometric (Face ID, fingerprint, Windows Hello) or device PIN. No password to type. No code to enter. No phishing possible.

The adoption challenge is real. Not every site supports passkeys yet. Account recovery when you lose all your devices is still being worked out. And synced passkeys trade some security (the sync provider can theoretically access the credential) for usability. But the trajectory is clear — passkeys are coming for passwords, and good riddance.

Biometrics — Convenient but Complicated

Biometrics are great as a local unlock mechanism — your fingerprint unlocks the secure enclave that holds your FIDO2 credential. That’s the right use of biometrics. But biometrics as a standalone authentication factor have serious issues.

You can’t revoke a fingerprint. If a biometric template is stolen from a database, you can’t issue a new face. The OPM breach in 2015 exposed 5.6 million fingerprint records of federal employees. Those fingerprints are compromised forever.

Biometric systems also have measurable error rates: False Acceptance Rate (FAR) — letting the wrong person in — and False Rejection Rate (FRR) — locking the right person out. These are configurable tradeoffs, but they mean biometrics are probabilistic, not deterministic. NIST SP 800-76-2 covers biometric specifications for identity verification.

How It Gets Exploited

Credential Stuffing at Scale

Breach databases are commodity products on the dark web. Tools like OpenBullet automate credential testing across thousands of sites simultaneously. The attack volume is staggering — MITRE ATT&CK T1110.004 (Credential Stuffing) documents it as one of the most common initial access techniques. The defense is simple: don’t reuse passwords. The reality is that most folks still do.

Phishing and Real-Time Proxy Attacks

Classic phishing steals passwords. Modern phishing steals everything, including MFA codes. Tools like Evilginx act as a reverse proxy between you and the real site. You think you’re logging into Microsoft 365. You type your password. You type your TOTP code. The proxy captures both and replays them to the real site in real time, stealing your session cookie. You’re authenticated — and so is the attacker.

This is why FIDO2 matters. A reverse proxy changes the domain origin, and FIDO2 credentials won’t authenticate against the wrong origin. It’s the only widely-deployed factor that defeats real-time proxy phishing. CISA has explicitly recommended phishing-resistant MFA based on FIDO2 for all high-value accounts.

SIM Swapping

SMS-based 2FA sends codes to your phone number. An attacker calls your carrier, social-engineers the support rep into transferring your number to their SIM card, and now they receive your codes. The FBI’s Internet Crime Complaint Center reported a massive increase in SIM-swapping complaints. This is why NIST deprecated SMS for out-of-band authentication in SP 800-63B. SMS is a restricted authenticator — usable in limited contexts but not recommended.

Password Spraying

Instead of trying many passwords against one account (which triggers lockouts), attackers try one common password against many accounts. Winter2026! against every email address in the company directory. MITRE ATT&CK T1110.003 (Password Spraying) is a staple of enterprise attacks. It works because password policies that require complexity and rotation produce predictable patterns — Season+Year+Symbol is the most common formula.

What You Can Do

Enable MFA everywhere. Not just your email. Not just your bank. Everywhere that offers it. Use a TOTP app at minimum. Use a hardware key or passkey wherever supported. The CISA “More Than a Password” campaign has resources for getting started.

Use a password manager. Every password should be unique, random, and at least 16 characters. You can’t remember these. You’re not supposed to. Let the password manager do it. NIST SP 800-63B explicitly endorses password managers and recommends against complexity rules and forced rotation — length and uniqueness are what matter.

Prefer phishing-resistant factors. FIDO2 hardware keys or passkeys over TOTP. TOTP over SMS. SMS over nothing — but recognize SMS is the weakest MFA option.

Audit your accounts. Check Have I Been Pwned. If your credentials appeared in a breach, change the password immediately and verify MFA is active. Check every service that matters to you.

Start adopting passkeys. Major sites — Google, Apple, Microsoft, GitHub, Amazon — already support them. Every account you move to passkey authentication is one less account vulnerable to phishing.

Related Deep Dives

Sources & Further Reading