Passwords, 2FA and Passkeys: Make Your Accounts Unbreakable

Quick answer: Modern account security has three foundations. First the password: a strong password is no longer complex, it is long and unique; NIST's 2025 guidance recommends at least 15 characters for single factor passwords, does not impose character mixing and removes forced periodic rotation. Second multi factor authentication: even if a password is stolen, the second factor protects the account, but SMS codes are the weakest form. Third the passkey: it is structurally phishing resistant because it contains no shared secret. The order is clear: a unique long password per account, phishing resistant multi factor authentication on top, and a passkey wherever possible.

For years we were told to "mix uppercase, numbers and symbols and change it every three months." That advice no longer holds and ironically weakened security, because people drifted to predictable patterns like Password1!, Password2!. The standards have changed.

1. Password: length beats complexity

NIST's SP 800-63B-4 guidance, published in 2025, fundamentally updated password rules:

1. At least 15 characters. NIST requires passwords used as a single factor to be at least 15 characters.
2. Allow at least 64 characters. Systems should permit at least 64 characters for long passphrases.
3. Do not impose complexity rules. NIST says composition rules such as character type mixing should NOT be imposed. A phrase of four random words is both stronger and more memorable than a short complex password.
4. No forced periodic change. Periodic forced password change should not be imposed; a change should be required only if there is evidence of compromise.
5. Check against breached passwords. New passwords should be compared against a blocklist of known and compromised passwords. Services like Have I Been Pwned hold hundreds of millions of passwords exposed in real breaches.
6. Allow paste. NIST recommends allowing the paste function to facilitate password manager use.

2. Password manager: one master password, hundreds of unique passwords

The human mind cannot remember dozens of unique long passwords, so people reuse the same password everywhere and a single breach opens every account (credential stuffing). The solution is a password manager. CISA defines a strong password as long, random and unique, and lists using a password manager to generate and store a different password per account as one of the core steps; you only remember a single master password.

3. Multi factor authentication: the second lock

A password alone is not enough; multi factor authentication (MFA) demands a second proof. In a widely cited 2019 analysis, Microsoft stated that MFA can block over 99.9 percent of account compromise attacks. But not all MFA methods are equal:

• SMS and voice codes: weakest. CISA states that SMS based verification is vulnerable to phishing, SS7 flaws and SIM swap attacks. If your SIM is hijacked the SMS code is useless; see our guide on the SIM swap attack.
• App based (authenticator): better. Apps that generate one time codes are safer than SMS but are still exposed to phishing that makes you enter a code on a fake page.
• Passkey and hardware key: strongest. CISA says the only widely available phishing resistant method is FIDO/WebAuthn.

4. Passkey: the passwordless, phishing resistant future

A passkey is an authentication method based on FIDO standards that uses public key cryptography. In the FIDO Alliance definition, the private key stays on your device, the public key is stored on the service's server, and you log in with the method you use to unlock your device (fingerprint, face, PIN). Passkeys are resistant to phishing, are always strong, and are designed so there are no shared secrets. Each passkey is unique and bound to the service's domain, so you cannot give your passkey to a fake site, because the browser will not work when the domain does not match. There is no password to steal and no code to intercept.

Implementation plan, point by point

1. Install a password manager and set a strong master password.
2. Starting with the most critical accounts (email, bank), assign each account a unique password of at least 15 characters.
3. Turn on multi factor authentication on all accounts; choose an app or a passkey over SMS.
4. Set up a passkey on every service that supports it (Google, Apple, Microsoft, many banks).
5. Check for breached passwords and change every exposed one.
6. If you are in an organization, make phishing resistant MFA a policy and strengthen your identity and access management.

Frequently Asked Questions

Should I really not change my password periodically? NIST no longer recommends forced periodic change; change it only if there is evidence of compromise. A long, unique password and MFA matter more.

Is SMS verification bad? Better than nothing but the weakest method. Move to app based authentication or a passkey if possible.

What if my passkey is stolen? A passkey is bound to your device and your biometric or PIN; the private key never leaves the device, so it cannot be stolen remotely like a password.

Sources

• NIST SP 800-63B-4, Digital Identity Guidelines (July 2025, password rules): https://pages.nist.gov/800-63-4/sp800-63b.html
• CISA, implementing phishing resistant MFA: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
• CISA, use strong passwords: https://www.cisa.gov/secure-our-world/use-strong-passwords
• FIDO Alliance, what is a passkey: https://fidoalliance.org/passkeys/
• Microsoft, MFA blocks 99.9 percent of account attacks (2019): https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
• Have I Been Pwned, check breached passwords: https://haveibeenpwned.com/Passwords
• e-Devlet two step login: https://www.turkiye.gov.tr/2fa-tanitim

To make your corporate authentication architecture phishing resistant, contact DSET.