The password used to secure your account is now a major risk, Microsoft warns , either on its own or even with two-factor authentication such as SMS codes. Stop using this “legacy” security, “so it won’t become a backdoor for cyber attackers.”

This year’s World Passkey Day “is a chance to reflect on progress toward a shared goal: reducing our reliance on passwords and other phishable authentication methods by accelerating passkey adoption.”

A few years ago, Microsoft’s primary security message was for users to adopt two-factor or multi-factor authentication, which it said would defend against 99% of password attacks and thefts. But since then we’ve since a wide variety of 2FA and MFA compromises, especially when traditional SMS codes are used.

Now it’s all about passkeys, which “use a private key stored safely on the user’s device and only work on the website or app for which the user created it, and only if that same user unlocks it with their biometrics or PIN.”

Microsoft has been consistent in warning that the added protection from passkeys is pointless if passwords and weak forms of 2FA/MFA remain on accounts. That means removing passwords on more than a billion user accounts.

This advice is now more acute thanks to AI. “AI-powered campaigns drive click-through rates as high as 54%,” Microsoft says. That is terrifying. As many as one in two recipients of AI-crafted phishing attacks are tricked by the initial lure.

There are more than 5 billion passkeys, FIDO says, driven by Microsoft, Google, Amazon and others. “Across Microsoft’s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day.”

More than 99% of Microsoft’s users now have access to “phishing resistant” authentication, which basically means passkeys and eradicating backup options that can still be phished or compromised. “Account recovery also plays a critical role in maintaining the integrity of identity systems."

But there are still many more passwords in place than have been deleted. “Strengthening authentication is important,” Microsoft says, “but reducing risk means eliminating phishable credentials entirely. Microsoft is continuing to phase out legacy methods and move users toward phishing-resistant authentication.”

Eradicating passwords “shrinks the attack surface,” which “is increasingly urgent as AI agents act on behalf of users. If an identity is compromised, cyber attackers can leverage those agents to access systems, execute workflows, and operate within existing permissions. Organizations need to address this risk quickly.”