Passwords are fundamentally broken. We have known this for years, but the industry has been slow to move beyond them. Two-factor authentication (2FA) was supposed to fix the problem. Passkeys might actually do it. But even the best authentication can be undermined by session hijacking.
Understanding these concepts helps you make informed decisions about protecting your business accounts and data.
The Password Problem
Passwords fail in multiple ways:
People choose weak passwords. Despite decades of advice, "123456" and "password" remain among the most common choices. Even "complex" passwords often follow predictable patterns.
People reuse passwords. When one service is breached, every other account with the same password becomes vulnerable. Password reuse turns a single breach into a cascade of compromises.
Passwords can be phished. A convincing fake login page captures credentials instantly. No amount of password complexity helps when users enter credentials into attacker-controlled sites.
Passwords can be stolen in transit. Without proper encryption, passwords can be intercepted. Even with encryption, they may be exposed through malware on the user's device.
The core problem: passwords are "something you know," and knowledge can be stolen or tricked out of people.
Two-Factor Authentication (2FA)
2FA adds a second requirement beyond the password: "something you have" (a phone, a hardware token) or "something you are" (biometrics).
Common 2FA methods, from weakest to strongest:
SMS codes send a text message with a one-time code. Better than password alone, but vulnerable to SIM swapping attacks where attackers convince carriers to transfer your phone number. Also phishable—attackers can request codes on fake sites and relay them to real services in real time.
Authenticator apps (Google Authenticator, Authy, etc.) generate time-based codes that change every 30 seconds. Better than SMS—no SIM swap vulnerability—but still phishable with sophisticated real-time relay attacks.
Push notifications (Duo, Microsoft Authenticator push) send approval requests to your device. Somewhat more resistant to phishing, but "MFA fatigue" attacks bombard users with requests until they approve one to make them stop.
Hardware security keys (YubiKey, etc.) use cryptographic protocols that verify both the user and the website. The key will only authenticate to the legitimate service, making phishing nearly impossible. The current gold standard for high-security accounts.
Enter Passkeys
Passkeys represent a fundamental shift in authentication. Instead of a password you know, a passkey is a cryptographic key pair stored on your device (phone, computer, hardware key).
When you authenticate, your device proves it holds the private key without ever transmitting the key itself. The service only knows your public key, which is useless without the private.
Advantages of passkeys:
- Nothing to remember or type
- Nothing to phish—the cryptographic handshake only works with the legitimate service
- Unique per service—a breach of one service does not affect others
- Cannot be weak or reused—the cryptography is consistent
- Resistant to most remote attacks
Current limitations:
- Not universally supported yet—adoption is growing but incomplete
- Recovery can be complex if you lose all your devices
- Enterprise deployment requires planning
- Cross-device use requires sync mechanisms (which introduce their own considerations)
For high-value accounts at services that support them, passkeys are currently the best authentication option available to most users.
Session Hijacking: The Overlooked Threat
Here is where many security discussions fall short: even perfect authentication can be undermined after the fact.
When you successfully log in to a website, the service creates a session—typically stored as a cookie in your browser. Subsequent requests include this cookie to prove you are still authenticated. You do not re-enter your password for every click.
If an attacker can steal this session cookie, they can impersonate your authenticated session without ever knowing your password or defeating your 2FA. This is session hijacking.
How session cookies get stolen:
Malware running on your device can read browser cookies and send them to attackers. This is called an "infostealer" and has become increasingly common.
Cross-site scripting (XSS) vulnerabilities in websites can allow attackers to read cookies through malicious scripts.
Man-in-the-middle attacks can intercept cookies if connections are not properly encrypted or if users ignore certificate warnings.
Physical access to an unlocked device gives access to everything the browser can access.
Defending Against Session Hijacking
Keep devices clean. Malware is the primary vector for session theft. Maintain endpoint protection, keep software updated, and be cautious about what you install and click.
Use browsers with site isolation. Modern browsers separate sites from each other, making XSS exploitation harder.
Pay attention to certificate warnings. Never proceed past a warning that a site's certificate is invalid. This is exactly what a man-in-the-middle attack looks like.
Log out of sensitive accounts. When you log out properly, the session is invalidated server-side. Stolen cookies become useless.
Enable session notifications. Some services notify you of new sessions or allow you to review active sessions. Check these periodically and revoke anything unexpected.
Consider shorter session durations. For the most sensitive accounts, shorter sessions mean shorter windows of vulnerability.
Practical Recommendations
For most small businesses, here is a sensible authentication hierarchy:
Critical accounts (email, banking, domain registrar, cloud infrastructure):
- Use passkeys where available
- Otherwise, hardware security keys
- As fallback, authenticator apps (not SMS)
- Regular session review and logout
Important business accounts (CRM, project management, code repositories):
- Passkeys or authenticator apps
- Avoid password-only authentication
General accounts:
- Unique passwords via password manager
- 2FA where available
- Accept that these are lower priority if compromise occurs
All accounts:
- Never reuse passwords
- Use a password manager
- Keep devices updated and protected
- Be skeptical of login prompts, especially unexpected ones
The Authentication Future
The industry is clearly moving toward passwordless authentication. Passkeys are supported by Apple, Google, Microsoft, and an expanding list of services. Within a few years, password-only authentication will be seen as legacy.
For small businesses, the practical advice is:
- Adopt passkeys for critical accounts as support becomes available
- Use hardware keys for highest-value accounts
- Ensure authenticator-app-based 2FA is enabled everywhere else
- Protect devices against malware that steals sessions
- Understand that authentication is important but not sufficient—session security matters too
Perfect security is not achievable, but dramatically better-than-average security is achievable with modest effort. The tools exist. The question is whether you use them.