There was a time when passwords had authority. A single phrase, a clever combination of characters, a code only one person was supposed to know. That era is over. The moment attackers stopped breaking through firewalls and instead started breaking through people, the industry was forced to rethink its foundations. Phase 5 begins exactly at this turning point: when organizations realized that identity had become the new perimeter and that a password alone simply wasn’t enough. Gartner estimates that more than 80 percent of successful account takeovers in the last decade originated from weak, reused or compromised passwords. No other single factor has triggered as many incidents. And none was ignored for as long.
The first meaningful shift toward MFA was modest, almost quiet, and came in the form of RSA tokens. These small key fobs generated new numerical codes every 60 seconds, synchronized with a backend that seemed unshakeable. For many enterprises it was the first encounter with two-step verification, technically reliable, operationally simple, and surprisingly effective. “RSA tokens were the moment we first questioned the idea of relying on a single shared secret,” recalls a former identity administrator at a major European carrier. “It was inconvenient at times, but it worked and it was far safer than anything we had before.”
But the pressure for mobility, global access and distributed work quickly challenged that model. The next wave arrived with SMS one-time passcodes. They were easy to deploy, highly available and worked on any device. Millions of users suddenly had a second layer of protection whether they were at home, on a train or at an airport terminal. But it didn’t take long for the industry to understand that SMS-MFA was better than passwords but still not genuinely secure. SIM swapping, SS7 weaknesses, interception attacks. The message channel was simply not built for cryptographic trust. “SMS was a compromise between convenience and safety,” says a security architect at a global hosting provider. “But once attackers became financially motivated, that barrier was far too low.” The real transformation came with app-based MFA. Authenticator applications from Microsoft, Google, Duo and others replaced insecure SMS codes with cryptographically generated tokens produced directly on the user’s device. The association between identity and smartphone, combined with push approvals, biometrics and device-bound secrets, changed everything. Suddenly an organization could not only verify that the correct password had been entered, but that the correct device was being used and the access attempt originated from an expected location. MFA became smarter with every push prompt, every local token and every biometric confirmation. Identity became harder to forge, harder to steal, harder to misuse.
But Phase 5 doesn’t end with authenticator apps. The most recent shift passkeys shows how fast the field continues to evolve. Passkeys don’t just improve passwords; they eliminate them entirely. They bind identity to hardware-backed cryptography, enabling users to authenticate through fingerprint or facial recognition without ever transmitting a reusable secret. “Passkeys are the first model that doesn’t supplement passwords, but replaces them outright,” says an IAM lead at a German technology group. “And they’re the first approach that finally delivers what we’ve been asking for for years: strong security without friction.”
Yet Phase 5 has its challenges. MFA fatigue has become a real threat. Users approve prompts reflexively. Attackers exploit that reflex. Even the strongest system can be undermined by human behavior when someone is tired, distracted or under pressure. Technology alone cannot fix this. It must be supported by clear policy, continuous user education and intelligent risk evaluation that detects when an authentication attempt simply doesn’t match the expected pattern. Identity is still a human topic, even when the tools become increasingly sophisticated.Today, in the center of Phase 5, MFA is no longer optional it is foundational. Access without MFA is considered negligent, in some industries even unacceptable. RSA tokens, SMS codes, authenticator apps, passkeys the journey of the past decades shows a clear trajectory. Each stage has made identity more resilient, more adaptive and more resistant to compromise. But with every improvement, the stakes also grew. As identity became the primary protective layer, it became the most valuable target for attackers.
This is why Phase 5 remains open. It is not a static point in time but an evolving landscape. Perhaps passkeys will dominate the future, or perhaps they are only a stepping stone toward hardware-native or behavior-native authentication models. What’s certain is that the password era is ending. The MFA era is only beginning and it will define the character of modern security for years to come.
