World Password Day 2026:
the end of the password era

What has changed in 2026

World Password Day on May 7, 2026 falls in a moment of transition. For the first time, passkeys are officially supported by the major enterprise identity providers — Microsoft 365, Google Workspace, Apple Business Manager, GitHub — and are no longer a curiosity for insiders. At the same time, in 2024 NIST published the first post-quantum cryptography standards (ML-KEM, ML-DSA, SLH-DSA), opening a decade-long transition that businesses should start planning now.

The 2026 message is simple: the password as we know it is no longer the first line of defence. The first line is digital identity, managed with tools that move beyond passwords and with an eye already on next decade’s cryptography.

Why passkeys beat passwords

A passkey is a cryptographic credential based on FIDO2/WebAuthn: a public/private key pair generated and stored on the user’s device (or in the corporate password manager). Authentication happens by signing a cryptographic challenge with the private key, unlocked via biometrics or a local PIN. The private key never leaves the device and the server never receives a reusable «secret».

The advantages over the traditional password are concrete and measurable:

• 1Phishing resistance — the passkey is cryptographically bound to the legitimate domain. A clone site cannot receive a valid signature, even if the user «falls for it».
• 2No password databases to steal — data breaches involving hash exfiltration simply don’t exist for passkeys: the server only stores the public key, useless to an attacker.
• 3Better user experience — fewer forgotten passwords, fewer resets, fewer help-desk calls. Login becomes a biometric operation that takes a few seconds.
• 4Cloud sync — modern passkeys (iCloud Keychain, Google Password Manager, 1Password, Bitwarden) sync end-to-end encrypted across the user’s devices, with no manual steps.

SMS and TOTP MFA are no longer enough

«Classic» MFA — SMS code, TOTP from authenticator apps without number matching, push notifications without verification — has been shown vulnerable in numerous incidents over the past two years. The most common bypass mechanisms are:

• Adversary-in-the-Middle (AiTM) phishing — a malicious proxy (e.g. EvilGinx) relays the user login to the real service and intercepts both password and MFA code in real time, in effect stealing the session cookie.
• SIM swapping — the attacker convinces the mobile carrier to port the victim’s number to a new SIM and receives the SMS codes. Documented in real incidents against executives and IT administrators.
• MFA fatigue / push bombing — the attacker, with stolen credentials, sends dozens of approval pushes until the exhausted user clicks «Approve» by mistake or annoyance.
• OAuth consent phishing — the attacker doesn’t steal the credentials but convinces the user to grant a malicious app permanent OAuth permissions, bypassing MFA and password rotation altogether.

NIST SP 800-63B and CISA have for some time recommended moving to phishing-resistant MFA: passkeys, FIDO2 hardware security keys (e.g. YubiKey) or Windows Hello for Business with TPM. For administrative and privileged accounts it is now a minimum requirement, not an option.

The post-quantum horizon

Quantum computers, when operational at scale, will be able to break in relatively short time the public-key algorithms that today underpin the internet — RSA, ECDSA, Diffie-Hellman — used for HTTPS, VPN, digital signatures, key exchange and most authentication. In 2024 NIST published the first three post-quantum cryptography (PQC) standards:

• 1ML-KEM (FIPS 203) — based on the Kyber algorithm, it is the standard for quantum-resistant key exchange. Replaces ECDH/RSA-KEM in TLS, IKEv2 and similar protocols.
• 2ML-DSA (FIPS 204) — based on Dilithium, it is the standard for post-quantum digital signatures. Replaces ECDSA/RSA in PKIs, certificates and code signing.
• 3SLH-DSA (FIPS 205) — based on SPHINCS+, an alternative hash-based digital signature. Slower but independent from lattice security assumptions.

Even though useful quantum computers have not yet arrived, the risk is already concrete: the most sophisticated adversaries collect encrypted traffic today (VPN, email, TLS sessions) to decrypt it tomorrow — a threat model known as «harvest now, decrypt later». Data with decade-long value (industrial secrets, contracts, health data, legal files) is the most exposed.

Three concrete actions for your business in 2026

Without overhauling the infrastructure, there are three steps every SME can take by year-end 2026:

• 1Passkeys for administrative accounts and privileged roles — enable passkeys or FIDO2 hardware security keys for Microsoft 365 global administrators, accounts with elevated privileges and sysadmins. This is the highest-ROI action: it protects the favourite attack point of ransomware operators. Secure Microsoft 365.
• 2Enterprise password manager and breached-password checks — a password manager with secure secret sharing across teams eliminates reused passwords, sticky notes and email sharing. Periodic checks of credentials against data-breach databases. Check a password.
• 3Cryptographic inventory and PQC roadmap — map the uses of asymmetric cryptography (VPN, TLS certificates, digital signature, internal PKI) to identify the points that will require a transition to PQC systems by 2030. The first step is knowing what you have. Cybersecurity services.

A partner for authentication modernisation

AtWorkStudio supports SMEs in moving to passkeys and phishing-resistant MFA on Microsoft 365 and hybrid environments. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN-qualified for SaaS cloud services, members of Clusit (Italian Association for Information Security) and associated with Confindustria Piacenza in the RICT cluster.

We help businesses define a modern authentication policy (passkeys for sensitive roles, Conditional Access, Zero Trust), deploy enterprise password managers with shared vaults, and set up a cryptographic inventory to prepare for the PQC transition without panic.