Sophos research demonstrates the vulnerability of passwords and knowledge-based authentication methods.
Incident Response (IR) and Managed Detection & Response (MDR) incidents show that cybercriminals steal data in just three days. Sophos urges organizations to abandon traditional password protection in favor of stronger authentication methods.
Passwords as Weak Link
According to the 2025 Active Adversary Report by Sophos, compromised credentials remain the primary attack method for the second consecutive year. In 41 percent of the cases studied, attackers gained access to systems this way. May 1st is World Password Day. Sophos wants to use this opportunity to raise awareness about the vulnerability of knowledge-based authentication, such as passwords, SMS codes, and app-based codes.
Although two-factor and multi-factor authentication are widely used, these methods remain susceptible to attacks. Hackers utilize tools like evilginx2 to steal session cookies and automate phishing. As a result, the true replacement of passwords is pushed further into the future.
WebAuthn
Sophos emphasizes the importance of transitioning to technologies like WebAuthn, which use cryptographic keys instead of shared secrets. With this method, the user stores a private key locally on the device. Authentication then occurs through physical possession of the device and, for example, biometric verification.
The WebAuthn protocol prevents users from being solely responsible for their authentication and provides protection against phishing. However, vigilance remains necessary: session cookies can still be stolen, and organizations must invest sufficiently in adoption and secure storage of keys.
Sophos concludes that implementing robust authentication technologies must be a strategic priority for organizations to counter the increasingly sophisticated attack techniques of cybercriminals.