World Password Day shifts focus to AI identity risks

Cyber security leaders are urging organisations to rethink digital identity defences as World Password Day highlights the limits of traditional logins. The shift to passwordless authentication and AI-driven workflows is raising concerns about new attack paths and persistent human risk.

Experts say the rapid adoption of passkeys, biometrics and multi-factor authentication is exposing deeper questions about how businesses govern both human and machine identities after access is granted. They point to a surge in phishing, session theft and social engineering, as well as the prospect of quantum computers undermining widely used cryptography.

Youssef El Maddarsi, chief business officer and co-founder of Naoris Protocol, said regulators in Asia are already pushing banks away from SMS codes and toward newer login methods. Authentication is evolving faster than the security foundations beneath it, he warned.

"World Password Day marks a genuine shift this year. Across Asia, regulators are already moving banks away from SMS codes toward passkeys and biometric login. The credential has evolved. The cryptographic foundation protecting it has not. Most passkeys and digital certificates in use today still rely on cryptography that quantum computers are expected to challenge within the decade. Stolen credentials already sit behind the majority of breaches globally. Quantum acceleration narrows that window further. The conversation can no longer stop at phishing resistance. Trust cannot be granted once at login and assumed to hold. Identity needs continuous validation across user behaviour, device posture, session risk and cryptographic resilience. Passkeys may change how we authenticate, but the next frontier is how continuously we verify and prove trust."

Ravi Soin, chief information security officer at Smartsheet, said the annual focus on passwords should now expand to the identity challenges created by AI-driven work.

"Every year, World Password Day arrives with the same advice. This year, the conversation needs to shift to the identity challenges that come with AI reshaping how work gets done. Passwordless authentication like multi-factor authentication, biometrics and passkeys are rapidly becoming the norm, and for good reason: they're stronger, faster and harder to compromise. This progress is real and worth celebrating. But even as authentication improves, with Zero Trust the deeper challenge remains: whether the humans in your environment-and the systems acting on their behalf-are behaving in ways you can actually verify. Every day, employees access dozens of apps to do their jobs. Behind them, a growing number of non-human 'workers' like automations and AI agents are operating across your environment, often carrying elevated privileges with far less scrutiny than a human login would receive. Even as AI takes on more of the workload, accountability still sits with people. The organisations that get this right will ensure every identity in their environment-human or not-is governed, traceable and held to the same standard. That's what modern identity security actually demands."

Other security specialists highlighted the continued success of phishing and social engineering, even as passkeys and biometric checks become more common. AI is making fake emails and scam messages more convincing, while attackers increasingly piggyback on real alerts and news events.

"The best scams are grounded in truth, and modern AI-enhanced phishing attacks are a perfect example of that. Whether it is a widespread service outage or an official notification about a billing credit, scammers have the opportunity to exploit real-world events. Sometimes they even make up realistic scenarios, like your car being tagged by a security camera for a speeding or parking ticket. The scams they pull often result in people giving up their passwords on fake login pages, and if they reuse those passwords on other websites and accounts, trouble spreads fast. This World Password Day, users everywhere must move beyond basic password hygiene and practise cyber hygiene. Organisations and individuals alike need to remain educated about the tactics scammers use to gain an element of trust they would never have in other situations. Treat every urgent notification with a trust-but-verify mindset; instead of clicking an email link, always go directly to the official app or website to check your status. By taking a second to think before reacting to an emotional trigger, you can avoid a scam and a massive headache," said Erich Kron.

Shawn Dorsey, senior director of global managed services at ThreatDown, said AI is also changing the economics of cybercrime and widening exposure for smaller firms. Attackers can now run large-scale, personalised phishing campaigns with far less effort, he said.

"The era of good-enough cybersecurity is over. The same AI advancements empowering defenders, such as Anthropic's Mythos and OpenAI, are also being weaponized by attackers. Despite these high-powered tools, the human element remains the most targeted and vulnerable link in the chain. This risk is exponentially higher for midmarket companies and SMBs that may lack the resources for 24/7 internal security. Bad actors have adapted. Phishing attacks are now incredibly personalized, naming specific company leaders or political affiliations to build a false sense of familiarity. This World Password Day serves as a reminder that AI has supercharged phishing-as-a-service and ransomware-as-a-service, allowing attackers to scale from a few dozen targets to thousands. To avoid becoming a victim, you must prioritize basic cyber hygiene. Enable MFA on every account, use unique and complex passwords, and ensure all devices are running the latest patches. For businesses, staying ahead requires a combination of the right tools and rigorous hygiene. Sometimes, it is simply the innate gut feeling that humans have that prevents a total cyber crisis."

In Australia, recent incident data illustrates how credential misuse and social engineering continue to drive losses despite awareness campaigns. Industry observers say attackers are adept at turning valid logins and session tokens into deep network access.

"World Password Day is arriving at a point where the old advice no longer goes far enough. Stronger passwords still matter, of course, but the bigger threat to Australian organisations is what happens when attackers use stolen credentials, hijacked sessions or bypassed multifactor authentication (MFA) to appear legitimate once inside a business. That matters in Australia because phishing remains one of the most common ways people and businesses are being targeted. Scamwatch recorded more than 65,000 phishing reports in 2025, while phishing losses reached $97.6 million and remote access scams cost Australians a further $69.9 million. Password security must extend beyond the initial login. While essential tools like strong passwords, passphrases, password managers and phishing-resistant MFA provide a vital foundation, the true challenge lies in securing access after a user has successfully authenticated. SentinelOne's latest threat research shows attackers are increasingly using stolen sessions and subverted MFA to mimic normal workforce activity. In those cases, a login may appear legitimate, even when the behaviour that follows is not. Australian organisations need to get much better at spotting that shift. That means looking for unusual privilege changes, new device enrolments, unexpected access to sensitive data, suspicious SaaS permissions, or activity that simply does not match a user's normal role. As these attacks become faster and harder to distinguish from normal business activity, AI-driven detection has an important role to play in surfacing behavioural changes that human teams may miss. A strong password can help keep attackers out. But if someone gets in with a valid key, businesses need to know when that trusted account starts behaving like an intruder. Identity-based attacks are inflicting significant harm in Australia. Cybercriminals are actively stealing credentials and purchasing usernames and passwords on the dark web, as warned by the ASD. This is compounded by another rise in phishing losses in 2025, according to Scamwatch data. The core problem is that with stolen credentials or a valid session token, an attacker can bypass traditional perimeter defences. They effectively masquerade as a legitimate user-an employee, a supplier or a trusted application-performing actions the system is configured to permit. That is why MFA remains essential, but it is not the finish line. Modern phishing kits and infostealers are increasingly designed to bypass or subvert MFA by capturing session cookies, hijacking trusted devices or enrolling new authentication methods after the initial compromise," said Jason Duerden.