MFA and Passwordless. How to Login Safely?

Have you ever forgotten your company email or VPN password? If so, you understand the frustration of trying to regain access. In a world where every system requires a different password – strong, long, and ideally unique – the average user becomes a credential juggler. The problem is that these juggles often end in… disaster.

The statistics leave no illusions. The Cisco Talos Incident Response report for the second half of 2024 states that over 80% of incidents could be avoided with properly implemented MFA mechanisms. Passwords are easy to crack, users tend to duplicate them, and IT departments spend hours resetting them.

It’s time to ask ourselves: do we really have to live with passwords? Is there no other method of authentication? And this is where the all-white concept of passwordless authentication comes in – a solution that has the potential to change the rules of the game.

The Cisco Talos Incident Response report for H2 2024 states that over 80% of incidents could be avoided with properly implemented MFA mechanisms.

Why are passwords a problem?

Passwords, while still common, are a relic of the days when digital security was just starting to take off. They are:

• easy to lose and forget,
• duplicated by users across multiple services,
• vulnerable to phishing, brute-force, and dictionary attacks,
• expensive to IT departments to maintain (resets, policies, training). Administrators have the ability to reset authentication methods in case a key or phone is lost.

All of this means that companies, especially those covered by regulations like NIS2, are starting to look for more resistant and modern solutions. The solution is no longer stronger passwords, but… the lack of them. But before we eliminate passwords completely, let’s take a look at the MFA.

Multi-Factor Authentication

Authentication is the process of verifying the identity of a user who is trying to access a system, network, or application. It is a key element of security because it prevents unauthorized people from accessing protected resources. Many organizations use multi-factor authentication (MFA), which requires the user to provide more than one element of identity (in addition to a password), such as a one-time SMS code or a token code.

Multi-factor authentication model

Something You Know, Something You Have

There are many authentication methods used to gain access to systems and applications. These methods can be divided into three main categories: knowledge factor (e.g. password), possession factor (e.g. authentication token), and biometric factor (e.g. fingerprint). Multi-factor authentication combines two or more of these categories to provide a higher level of security. Passwordless authentication, such as Microsoft Authenticator and FIDO2 access keys, is becoming increasingly popular because it offers more convenient and secure solutions for users.

What is passwordless authentication?

Passwordless authentication is a method of logging in that eliminates the need to type in a password. The user’s identity is confirmed using other methods—such as biometrics, physical hardware keys, push notifications on a trusted device, or even behavioral patterns. It’s not only convenient, it’s also much more secure. And importantly, it’s in line with the spirit of Zero Trust, which assumes no implicit trust in any user or device.

This is a login method in which the user does not have to enter any password. Their identity is confirmed by other factors:

• providing biometric data – e.g. fingerprint, facial recognition,
• hardware key – e.g. YubiKey connected to USB/NFC, on which a passwordless access scenario can be implemented,
• trusted mobile device – confirmation of login via push notification.

In the case of login from unknown locations or devices, the application may ask to enter a code received via SMS for additional authentication. These solutions fit into the Zero Trust model, in which we do not trust anyone by default – not even our employees until they prove that they are who they claim to be.

Authentication methods: Access keys

Access keys, such as those compliant with the FIDO2 standard, are physical devices that can be used for passwordless authentication. They are equipped with advanced security features such as cryptography and certificate-based authentication. Users can register an access key in their account and then use it to log in to systems and applications without having to type in a username and password. Access keys are especially useful for users who need to access multiple accounts and applications, as they provide a convenient and secure solution.

MFA vs. Passwordless – which is better?

Many people may think that passwordless is simply a new version of MFA. In fact, the differences are significant. MFA – or multi-factor authentication – is almost always based on a password as one element. Only then does the second factor, such as a TOTP code or a hardware key, come in.

Passwordless eliminates the password completely – and this is what makes it not only more convenient, but also more resistant to typical attacks such as phishing or brute-force.

From the point of view of security and ergonomics, passwordless is much better. It shortens the login time, reduces the helpdesk load, and most importantly – reduces the attack surface. However, it requires more involvement in the implementation – both on the IT and user side. Processes, education and backup access methods are needed in case the key is lost or the smartphone breaks down.

It is also worth being aware that passwordless login is not without threats. Theft of a phone or key, taking over the phone number (SIM swapping), and even advanced biometric forgery – all of this must be taken into account when planning the implementation. Therefore, security policies, encryption of communication and – above all – user education are crucial.

Let’s look at the differences between MFA and passwordless login

Three practical approaches to MFA

1.Cisco Duo – a sustainable path to security

Cisco Duo is an advanced MFA and passwordless authentication platform that integrates with cloud systems, VPNs, Active Directory, and on-premises applications. The user does not need to enter a password – just approve the notification on the phone. The application allows you to log in using biometrics or a PIN.

💡 For whom?

• large organizations, financial institutions, public sector,
• companies requiring compliance with NIS2, GDPR, ISO 27001,
• IT teams looking for simple implementation and full integration with Microsoft 365, VPN or Azure AD.

✅ What makes Duo stand out?

• simple user onboarding,
• adaptive authentication (e.g. greater security outside of working hours),
• extensive access reporting.

Cisco Duo authentication

2.FortiAuthenticator and FortiToken – passwordless login for Fortinet environments

If your organization uses FortiGate, FortiAuthenticator is a natural complement — an on-premises or cloud authentication server that works with FortiTokens (hardware or mobile). This allows you to implement MFA or passwordless in a consistent way with your entire security ecosystem. In addition to entering a username and password, the user must take an additional step to confirm their identity. Additionally, when logging in to a new device or in a different location, logging in will be done using additional security measures, such as one-time SMS codes.

💡 For whom?

• SMEs and the public sector (schools, offices, healthcare facilities),
• companies with existing Fortinet infrastructure.

✅ What do you gain?

• a cheaper alternative to extensive MFA platforms,
• integration with VPN, RADIUS, Wi-Fi and Windows logon,
• the ability to use mobile or physical tokens.

FortiToken – Secure Access for Fortinet Platforms

3.YubiKey – Phishing-proof MFA and the hardware key to a passwordless world

YubiKey is a small device (USB, NFC, Lightning) that works like a physical key. Just plug it into your computer or bring it close to your phone to confirm your identity – without entering a password. The key supports FIDO2 and WebAuthn standards, making it compatible with Microsoft, Google, GitHub and many other services.

💡 For whom?

• companies of all sizes that want to protect users from identity theft,
• structures that particularly want to protect highly privileged users (administrators, board members, finance department employees, etc.),
• organizations where employees do not have company phones, e.g. offices, hospitals, local government units, factories (even in explosion-hazard zones – YubiKey has no battery), call centers,
• private users.

✅ Why is it worth it?

• resistance to phishing and data interception,
• no need to install mobile applications,
• ability to log in offline (e.g. to operating systems).

Yubikey Key Family – from FIDO-only to support for multiple authentication protocols, including passwordless authentication

What about security in MFA and passwordless authentication?

While each method has its limitations (e.g., lost phone, lost hardware key), passwordless login reduces the most common attack vectors. Instead of relying on the user to come up with a secure password, companies can trust the identity to be confirmed by something physical (key) or unique (biometrics).

What’s more, with the NIS2 directive requiring strong authentication and access management methods, moving to passwordless is a logical step toward compliance.

When it comes to choosing an authentication technology, it’s also worth knowing the most common attack vectors that threaten both traditional MFA systems and more modern passwordless solutions. Understanding these threats is key to planning your security strategy and choosing the right defence.

What’s next?

Passwords are no longer the hero of our digital security. Today, identity protection requires more advanced solutions. If you want to provide users with secure access to corporate resources, let’s talk. We will advise which tool will be best for you: Cisco Duo, FortiAuthenticator, YubiKey or another solution from a proven manufacturer.

📩 Contact our team to learn how to implement the best authentication method in your organization.