Notifications
Clear all
Topic starter
25/06/2026 2:59 pm
TL;DR: Passwords remain a primary authentication method, but weak and stolen credentials are still a common breach path, according to DigiCert. The article argues that multi-factor authentication reduces risk by adding a second layer of verification, yet it does not eliminate the human exposure built into password-based access.
NHIMG editorial — based on content published by DigiCert: How Effective Authentication Protects You Online
Questions worth separating out
Q: How should organisations reduce account takeover risk when passwords are still in use?
A: Organisations should treat passwords as one factor, not the whole control.
Q: Why do passwords remain such a common authentication weakness?
A: Passwords remain weak because they depend on human memory, user discipline, and secrecy under attack pressure.
Q: What is the difference between human authentication and machine authentication?
A: Human authentication is interactive and usually involves logins, MFA, or recovery steps.
Practitioner guidance
- Replace password-only access with layered verification Require multi-factor authentication for remote access, admin workflows, and any application handling sensitive personal or financial data.
- Prioritise phishing-resistant factors for privileged accounts Move high-value users to factors that are harder to replay than OTP codes, especially where compromise would expose broad access or administrative functions.
- Separate human and machine authentication governance Keep interactive login policy, certificate handling, and service credential lifecycle under different controls.
What's in the full article
DigiCert's full blog post covers the explanatory detail this analysis intentionally leaves at a higher level:
- The article's breakdown of why the industry still over-relies on passwords for everyday access
- The specific examples of multi-factor authentication methods cited in the source, including device and token-based approaches
- The article's discussion of how users can adopt authenticator apps in common consumer and business settings
👉 Read DigiCert's explanation of why effective authentication still matters online →
Passwords and multi-factor authentication: what still breaks online?
Explore further
25/06/2026 4:16 pm
Password-only authentication is an identity assumption, not a security strategy. The article makes clear that password use still dominates because it is familiar, not because it is durable. That model assumes users can consistently create and protect secrets under real attack pressure, which is no longer a safe assumption. For identity programmes, the lesson is that the first factor is a fragile trust boundary, not a sufficient control.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, showing how uneven identity governance maturity remains across machine and human populations.
A question worth separating out:
Q: How do security teams know whether MFA is actually improving assurance?
A: Teams should measure whether MFA blocks common takeover paths, especially phishing and credential replay, rather than whether it is merely enabled. Look at bypass rates, recovery weaknesses, privileged account coverage, and the type of factor used. A weak second factor may reduce friction without materially improving assurance.
👉 Read our full editorial: Effective authentication remains the weak point in online security
