February reminder about passwords and authentication approaches

Concept art about passwords and authentication generated by Google Gemini Imagen 3.

The first two days in February are marked by awareness of cybersecurity issues. Change Your Password Day was first marked in 2012, while February 2 as Two-factor Authentication Day.

"Weak or stolen passwords are often the first and easiest entry point for cybercriminals. This Change Your Password Day, we want to remind organisations of the critical importance of enforcing robust credential management policies," said Darren Guccione, CEO and Co-founder of Keeper Security, the cybersecurity provider of Zero-Trust and zero-knowledge privileged access management (PAM) software.

"Implementing tools like enterprise password management and privileged access management ensures credentials are stored and managed securely – with enforcement and visibility across the organisation – minimising the risk of unauthorised access that can lead to a damaging breach."

Keeper Security's Navigating a Hybrid Authentication Landscape report, released in January, found that:

- Most organisations are adopting passkeys, which use public key cryptography to authenticate users without the need for passwords. Eight in 10 organisations are using or planning to adopt passkeys, as they offer a significant reduction in risks like phishing and credential stuffing, compared to traditional passwords.

- Hybrid authentication is common, with four in 10 businesses relying on hybrid authentication systems that blend both passwords and passkeys. These hybrid setups are often necessary due to the prevalence of legacy systems and specialised applications that have yet to support passkeys.

- Phishing remains persistent: despite the adoption of passkeys, phishing continues to be a major threat. Over two thirds (67%) of businesses report phishing as a persistent issue in hybrid authentication environments, underscoring the need for comprehensive security measures beyond passkeys alone.

- IT leaders face challenges with dual systems: managing both passwords and passkeys presents a significant challenge for 57% of IT leaders, such as concerns over user confusion, integration difficulties and training demands in managing hybrid systems.

- Phased adoption of passkeys: seven in 10 organisations are implementing passkeys in phases, prioritising critical systems first and ensuring operational compatibility with existing password-based systems.

According to Keeper Security, the report highlights the need for organisations to adopt a layered approach to authentication, balancing modern solutions like passkeys with strong password practices. It also stresses the importance of employee training, infrastructure upgrades and streamlined integration to ensure the security and usability of authentication systems as organisations continue their digital transformation.

KnowBe4, the cybersecurity platform that addresses human risk management, commemorated Change Your Password Day by encouraging organisations to adopt secure, more effective password strategies. The company noted that while the original purpose of encouraging regular password updates may seem outdated to many security professionals, the day "holds value in emphasising the significance of personal and collective responsibility in cybersecurity".

"In the 13 years since the day's inception, cyberthreats have evolved significantly, as have the measures used to combat them. As a result, experts now emphasise the importance of adopting advanced practices that go beyond simply changing passwords, offering a more effective, robust, and user-friendly approach to safeguarding sensitive information," the company said.

Keeper Security and KnowBe4 shared practices that organisations should adopt:

- Implement password policies: Set and enforce a policy that requires passwords to be unique and at least 16 characters, with upper and lowercase letters, numbers and symbols.

- Reduce the importance of password complexity in favor of length: Where a password manager cannot be used, encourage employees to focus on longer passwords or pass-phrases rather than relying heavily on complex character requirements.

- Monitor new passwords automatically: use available tools to validate new passwords against known breaches and dark web datasets, and alert users to change their passwords if a match is detected.

- Encourage the use of passphrases or randomly generated passwords: Promote passphrases or randomly generated passwords for greater strength and resilience against attacks.

- Require the use of a password manager: Mandate password managers to securely create, store, and manage unique credentials, removing the burden away from the employee to remember long character combinations.

- Use multifactor authentication (MFA): strengthen security by requiring an additional verification step, like a code, biometric, or token, which protects accounts even if a password is compromised.

- Adopt privileged access management to secure privileged accounts, enforce strong password policies and limit access to critical systems.

- Monitor for breaches: implement dark web monitoring to detect exposed credentials.

- Educate employees: conduct regular training on secure credential management and best practices.

“While Change Your Password Day is a great reminder to all employees of their individual responsibility when it comes to cybersecurity, in today’s climate, it might be better named Use Strong Authentication Day,” said Martin Kraemer, Security Awareness Advocate at KnowBe4.

“Changing your password regularly once served as a timely reminder that cybersecurity mattered, even if the act itself did not always result in greater security. Now, the actions required of employees may be different, but the message remains the same—everyone has a part to play in safeguarding their organisation against threats."

Simon McNally, Solution Consultant Director for Workforce Identity and Access Management, Europe, Thales, said: "Traditional security measures like passwords are no longer enough in today’s threat landscape. In 2025, businesses must strengthen their cybersecurity posture by adopting modern security practices such as passkeys and phishing-resistant two-factor authentication (2FA) or MFA to ensure safer, stronger authentication for not just the few employees but everyone."

McNally shared that nearly half of organisations have experienced a cloud data breach, according to the Thales 2024 Cloud Security Study. "Failure to use MFA was a significant factor in 17% of these breaches, highlighting the urgent need to move beyond passwords. Data shows that 2FA can block 99.9% of automated attacks and dramatically reduce phishing attempts. Businesses must introduce basic 2FA, like SMS or authenticator apps, for moderately sensitive accounts such as social media," he advised.

"For highly sensitive accounts, like banking, email, or company access, advanced 2FA methods such as security keys or biometrics are crucial. It’s a simple yet powerful way for organisations to keep their customers’ data safe from cybercriminals."

"2FA Day is a crucial reminder that by saying goodbye to single-factor authentication, organisations significantly enhance their security and protect valuable data from cyberthreats. Businesses must prioritise comprehensive security measures to prevent devastating cyberattacks and show customers they’re committed to protecting their data no matter what it may be," McNally added.

"Basic 2FA is non-negotiable: everyone, everywhere, must enable it for all their accounts for any device. As AI makes phishing more sophisticated, advanced, phishing-resistant 2FA – like hardware security keys or FIDO2-compliant methods – has become critical, especially for accessing sensitive systems. Use basic 2FA for moderately sensitive accounts like social media or online shopping, and advanced 2FA for highly sensitive accounts like banking, email, or company access, where data breaches have severe consequences."

When it comes to multifactor authentication, biometrics is experiencing a boom. The global fingerprint sensor market is projected to grow at a CAGR of 15.38% from 2024 to 2031, according to Verified Market Research. The consultancy revealed that the market was worth US$3.09 B in 2024 and is expected to reach US$9.71 B by the end of the forecast period, driven by the demand for biometric security in smartphones, smart cards, and Internet of Things (IoT) devices.

Interest in alternative authentication approaches is running high, with Passbolt announcing it had raised US$8 M in Series A financing in January 2025.

"Organisations are trapped between consumer-focused password managers and complex monolithic enterprise solutions that don't meet the need for secure collaboration of agile teams operating in digital environments," said Kevin Muller, co-founder and CEO of Passbolt, which has more than 400,000 daily active users globally.

"We're building a new type of credential and access manager for organisations of all sizes. It enables technical teams to collaboratively manage access to the organisation’s IT, software development, and security infrastructure. At the same time, it allows the broader workforce to automatically log into productivity tools and to share access credentials with colleagues securely."

The funding will be used to accelerate product development and meet security and regulatory requirements, with the first milestone being the company's next major release, Passbolt 5.0. It will also enable scaling of international sales and marketing, the company said. Passbolt has onboarded more than 40,000 organisations and 2,000 paid customers worldwide.