Skip to content
The Security Editor

Fundamentals

Authentication: why your password is not the fence you think it is

A password is a guess gate, not a fence. A practical guide to the layers that actually keep attackers out of your document accounts — multi-factor, hardware keys, passkeys, and the account-recovery flow almost everybody forgets about.

By Alex Trustwell 6 min read beginner
On this page
  1. Why the fence model is wrong
  2. Multi-factor authentication, and the trap of the word “multi-factor”
  3. The session-cookie problem
  4. Account recovery: the back door that is usually unlocked
  5. The practical account-hardening short list

Most people picture a password as a fence. You pick a good one, and anyone who doesn’t know it can’t get in. That mental model is wrong, and the gap between the model and the reality is where almost every document-account breach happens.

A password is not a fence. It’s a guess gate, and there are more ways through it than you think.

Why the fence model is wrong

A real fence keeps someone out unless they physically climb it in front of you. A password has at least five separate ways to go around it, and the attacker never has to stand in your yard:

  • Guessing, if the password is weak or common.
  • Credential stuffing, if you reused it on another site that was breached — and over 20 billion credentials have leaked publicly over the last decade.
  • Phishing, if you can be tricked into typing it into a fake site.
  • Infostealer malware, if anything on your computer can read the browser’s saved-password store.
  • Resetting it, via a recovery flow that is often weaker than signing in normally.

Every one of those is an attacker-in-their-own-house route. None requires physical proximity. Most happen at internet scale against lists of millions of users.

The defense isn’t a stronger password. It’s making the password not the only thing standing between the attacker and the account.

Multi-factor authentication, and the trap of the word “multi-factor”

Multi-factor authentication (MFA) adds something beyond the password to the sign-in process. In principle that’s great. In practice, not all second factors are equal, and one of them is actively bad.

Roughly in order from weakest to strongest:

  • SMS codes. A texted one-time code. Defeated by SIM-swapping (where an attacker convinces a mobile carrier to move your number to their SIM), by phishing (a fake site asks for the code and relays it), and by rare SS7-level telecom attacks. Treat SMS as better than nothing, but not as serious MFA.
  • TOTP app codes (Google Authenticator, Authy, 1Password’s built-in TOTP, etc.). A six-digit code that rotates every 30 seconds, generated on your device. Not phishable by SIM swap, but still phishable — an attacker-in-the-middle site can relay the code to the real site just like with SMS.
  • Push approvals (Microsoft Authenticator, Duo, etc.). You tap a notification to approve. Phishable by “push bombing” — the attacker spams you with prompts hoping you’ll tap one to make the noise stop. Okta, Uber, and many others have been breached through this.
  • Hardware security keys (YubiKey, Google Titan, Feitian) using the FIDO2/WebAuthn protocol. The key signs a challenge that is cryptographically bound to the real site’s domain. A phishing site cannot use the signature because the signed challenge names the wrong domain. This is the class CISA refers to as “phishing-resistant MFA”.
  • Passkeys. A FIDO2 credential stored on your device (phone, laptop, hardware key), unlocked by biometric or device PIN. Effectively the same phishing-resistant guarantees as a hardware key, with better ergonomics. Supported by Apple, Google, Microsoft, and every major browser.

Even when you are signed in with strong MFA, the browser stores a session cookie — a token that tells the site “this browser is already authenticated”. Until the cookie expires, the site accepts it in place of the password and MFA.

Infostealers grab session cookies from browser profiles. An attacker who obtains a valid cookie can load it into their own browser and be signed in as you, with no MFA prompt, because the site already believes the authentication is done.

This is how several high-profile breaches in the last few years happened — not by defeating MFA, but by bypassing it entirely through stolen cookies.

Practical consequences:

  • After any suspected malware incident, terminate active sessions on every important account — not just change passwords. Most major providers have a “sign out all devices” button; use it.
  • Shorter cookie lifetimes are safer. Some accounts (banks, work accounts) re-authenticate frequently; consumer accounts tend to keep you signed in for months. On accounts holding sensitive documents, periodically sign out manually.
  • Hardware keys still matter, because they make the initial account compromise much harder. Session theft is a post-compromise capability; strong MFA prevents the compromise in the first place.

The companion article Infostealers and the documents on your laptop covers session cookie theft in more depth.

Account recovery: the back door that is usually unlocked

Nearly every compromise story has a section near the end where the writer says “but how did they get in when I had MFA enabled?” and the answer, surprisingly often, is: account recovery.

The account-recovery flow is what lets you regain access when you lose your password or your second factor. It is also, frequently, weaker than the normal sign-in — typically some combination of:

  • A recovery email address.
  • A recovery phone number (often SMS-only).
  • Security questions whose answers are guessable or knowable.
  • A customer-support ticket with a photo of ID.

If any of those is easier to compromise than your front door, the front door doesn’t matter. Attackers go around it.

Harden the recovery path:

  1. Recovery email — make it an account that is itself protected with a hardware key.
  2. Recovery phone — remove it entirely if the service allows, since it’s SMS-anchored and SIM-swappable.
  3. Security questions — if the service forces them, generate random answers and store them in your password manager. “My first pet’s name” is whatever the password manager generated, not the real name that is on your Facebook.
  4. Backup codes — download the 10 one-time codes, print them, store in a safe. Don’t email them to yourself.
  5. Trusted contacts / recovery contacts — on platforms that support them (Apple, Google), add one, and make sure it’s a person who is also well-protected.

The practical account-hardening short list

For every account holding documents you care about (email, cloud storage, banking, tax, medical, work SSO):

  1. Unique long password in a password manager. Never reused.
  2. Phishing-resistant MFA — hardware key or passkey. Two hardware keys, ideally, kept in separate physical locations.
  3. SMS removed as a second factor if the service allows it.
  4. Backup codes printed and stored with other important papers.
  5. Recovery email and phone reviewed and hardened — or removed.
  6. Connected apps and active sessions reviewed annually.
  7. Password-manager vault itself protected by a hardware key.

That list, done once, is the single highest-leverage security investment most readers will make this year. A password is a guess gate. Layered authentication makes the gate actually useful.

The account hardening walkthrough applies this list to the four most common document-storage providers.

Sources

  1. NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
  2. CISA — Implementing Phishing-Resistant MFA
  3. FIDO Alliance — How FIDO Works
  4. W3C — Web Authentication: An API for accessing Public Key Credentials (WebAuthn Level 3)
  5. Apple — About the security of passkeys