Passkeys Are Winning the Login Fight. Attackers Are Moving to the Verification Step.
Credential stuffing is fading as passkeys go mainstream. The next account takeover battle is happening at password resets, help desks, and identity checks.

Key points
- Passkeys, a password replacement backed by Apple, Google and Microsoft, have gone mainstream in 2025, making bulk credential-stuffing attacks far less profitable.
- Attackers are shifting focus from the login screen to the account recovery and verification steps, where a phone call or an SMS code can still unlock an account.
- Account takeover, known as ATO, is the industry term for a criminal gaining control of someone else's online account.
- Defenders who spent a decade hardening logins now have to harden the help desk, the password reset flow, and the identity check that sits behind them.
For about ten years, breaking into online accounts followed a boring recipe.
Criminals bought huge lists of stolen usernames and passwords, fed them into automated tools, and waited for matches. This is called credential stuffing: throwing known passwords at millions of login pages to see which ones open. It was cheap. It scaled. And for the security teams on the other side, it was at least a familiar problem.
That era is ending. Not because the criminals lost interest. Because the front door finally got harder to kick in.
Passkeys are now mainstream. A passkey is a login method that replaces the password with a cryptographic key stored on your phone or laptop, unlocked with your face or fingerprint. There is nothing for a criminal to guess and nothing useful to steal from a breached database. Apple, Google and Microsoft have all pushed passkeys into their consumer products, and major banks, retailers and workplace tools have followed.
The practical effect: stuffing a million stolen passwords into a login page produces far fewer wins than it did two years ago.
So the attackers are moving.
Where are the criminals attacking now?
They are attacking the verification step, the part of an account that handles "I forgot my password" or "I got a new phone."
Every account has one. It has to. Real users lose devices, change numbers, and get locked out. So every service builds a back route: call the help desk, receive a code by text message, answer a security question, upload a photo of an ID. That back route is now the softest part of the system.
The pattern, as laid out in reporting by The Hacker News, is straightforward. Criminals no longer need your password if they can convince a support agent, or an automated recovery flow, that they are you. A well-rehearsed phone call to a help desk. A SIM swap, where a mobile carrier is tricked into moving your number to the attacker's SIM card. A forged driver's licence uploaded to an identity-check vendor. Any of these can hand over an account that a passkey was supposed to protect.
This is not theoretical. Some of the biggest breaches of the past two years, including intrusions at major hotel chains, casinos and tech firms, started with a phone call to IT support, not a cracked password.
What does this mean for ordinary people?
For customers, the login screen is safer than it has been in years. Turn on passkeys wherever your bank, email provider or workplace offers them. It is the single best move you can make.
But watch the recovery channels. If you get an unexpected text saying your phone number is being moved, or an email confirming a password reset you did not ask for, treat it as an emergency. Call the company on a number from its official website, not one from the message.
For companies, the work has shifted. The login page is mostly solved. The help desk is not. Support agents need scripts that assume the caller is lying. Identity-verification vendors need to be tested against deepfake IDs and AI-generated selfies, which are cheap to produce in 2025. Password reset flows need the same paranoia that login flows got a decade ago.
The attackers found the seam. The defenders now have to sew it shut.



