Password authentication has been a part of the web landscape for decades. On our platform, we continue to offer the traditional password login. At the same time, we are increasingly embracing modern passwordless methods like passkeys, OAuth2 login, or one-time codes via email.
The reason: Traditional security methods pose risks and pitfalls - notably security questions and enforced regular password resets. In this article, we illustrate why these methods are problematic and what lessons we learned from a specific phishing test conducted for a client.
Why We No Longer Use Security Questions
Many will remember: "What was the name of your first pet?" or "Where did you go to school?" The idea was to provide an extra security layer in case the password was forgotten.
The problem with this:
- Such information is often publicly accessible or easily guessed.
- Many users provide simple or the same answers repeatedly.
- In practice, security questions offer attackers additional access possibilities rather than real protection.
Therefore, we consistently refrain from using security questions.
The Risks of Enforced Password Resets
A widespread concept in companies and platforms is the requirement to change passwords regularly. At first glance, this seems like a sensible security measure. However, we've found that it can cause more harm than good.
A Real-life Example from Our Practice:
During a client project, we carried out a covert phishing test at the client's request. The goal was to assess the company's security awareness training. We:
- Registered a domain that closely resembled the real company's domain.
- Created a deceptively realistic login page with the company logo and original colors.
- Sent emails to employees that appeared to indicate a regular password reset was due.
The Result:
- Several managers with elevated rights and administrative access were among the first to "reset" their password on the fake site.
- None of the recipients noticed the misleading domain in the sender's address or the URL.
- The visual replica of the real site was enough for the branding to seem authentic.
Conclusion: Enforced password resets at fixed intervals make such attacks even easier. Since users are regularly prompted to change their passwords, a related email quickly becomes routine and goes unquestioned.
Why Passwordless Methods Make Sense
The weaknesses of traditional password methods can be largely eliminated through modern authentication techniques:
Passkeys & Security Keys
Biometric and hardware-supported methods without password entry. Login occurs via FaceID, fingerprint, or device PIN and is phishing-resistant thanks to public-key encryption.
One-Time Codes via Email
Instead of a fixed password, users receive a code via email for each login. This is technically as secure as traditional password resets — but without the risks of password reuse or outdated hashing algorithms.
OAuth2 / Social Login
Log in with existing accounts from providers like Google, Microsoft, or Apple, including their security standards and multi-factor authentication.
Our Approach
While we continue to offer traditional password login, we consciously avoid:
- Security questions
- and enforced password resets
Instead, we recommend passwordless authentication as the preferred method, promoting security awareness through training and transparent communication.
Want to make your own authentication system more secure and user-friendly?Contact us— we support you in integrating modern login methods and tailored security concepts into your applications.