Cyber hygiene” is like personal hygiene: it consists of best practices that contribute positively either to human health—thereby extending life expectancy—or, in the case of cyber hygiene, to the health of IT assets, protecting them from attacks and ultimately prolonging their lifespan.
Just like personal hygiene, cyber hygiene must be learned and requires a certain level of discipline to be properly applied. Moreover, both must continuously adapt to the ever-evolving “threats” that surround us, adjusting habits and practices in order to maintain a certain level of resilience and survival.
Let’s start with a fundamental principle of cybersecurity: authentication.
This concept is essential, as it forms the foundation of the “3 A’s” rule: Authentication, Authorization, and Auditing.
It is crucial to be certain of the identity of a user, application, or device before granting access to resources with the appropriate permissions and privileges. In other words: “Tell me who you are, and I will tell you what you are allowed to do and what you can access.”
All modern operating systems are built around a security subsystem that incorporates this 3A principle.
Therefore, it is essential to “authenticate properly,” with the underlying requirement that no one else should be able to impersonate you in any way. This is where the real challenge begins.
Cybercriminals have clearly understood that by impersonating you, they can do exactly what you are allowed to do.
While this has always been true throughout history, in the context of digital identity, the complexity, subtlety, and poor practices significantly increase the risk of incidents—many of which have led to the most widely publicized cyberattacks.
Multi-Factor Authentication (MFA) is synonymous with strong authentication. Its principle is simple: it ensures that a user (and this also applies to applications and devices) authenticates using at least two distinct factors:
It is important to note that confusion often arises here—we are indeed talking about two distinct factors.
This approach was originally developed for the general public with the introduction of ATMs by banks.
Your bank card combined with a simple PIN code ensures that:
It is therefore natural that these “best practices” have been adopted in the digital world, where all high-risk authentications should rely on an MFA approach.
However, several factors have introduced constraints that impact the user experience.
Among them (non-exhaustive list):
This has led to an extremely complex environment, where the number of complex, frequently changing passwords becomes unmanageable.
As a result, two major developments emerged:
This second point is critical to understanding recent developments. Historically, in environments where cybersecurity was taken seriously, organizations relied on: Smart cards (requiring specific readers or USB devices) or OTP tokens (One-Time Passwords: 6-digit codes valid for 30 to 60 seconds). Well-known providers included RSA and Vasco (now OneSpan).
These solutions introduced physical constraints, such as carrying a token or using dedicated hardware.
With the rise of smartphones, these OTP tokens quickly evolved into mobile applications generating OTPs. Soon after, many providers began offering OTPs via apps, SMS, or email. This marked a major shift in user experience: fewer constraints while maintaining MFA-level security.
However, every new technology comes with new risks. These methods have become vulnerable to attacks such as phishing, where attackers capture both:
The first factor (password). The second factor (OTP), which is then reused instantly within its 30–60 second validity window. At the same time, a secure standard protocol called FIDO (now FIDO2) emerged. It is resistant to such attacks (e.g., phishing) but reintroduces a physical component: a security key.
Some believe FIDO2 keys are a miracle solution. Unfortunately, they are not. They do improve security, but they do not fully protect against authentication attacks.
Take the example of accessing Microsoft 365.
FIDO2 protects against traditional phishing attacks. However, if a cybercriminal manages to extract the Microsoft session cookie stored on your device, they can easily access your resources (emails in Exchange Online, files in SharePoint, Teams, etc.). These session cookies were introduced to improve user experience by avoiding repeated authentication.
This brings us full circle. On one hand, we aim to simplify user experience to encourage the adoption of essential cyber hygiene practices. On the other hand, we introduce additional constraints to counter increasingly sophisticated attacks.
Finally, a new concept has emerged: passwordless authentication. Introduced with FIDO, this approach has also been extended to OTP-based systems. The idea: eliminate the password entirely.
After an initial enrollment phase, users authenticate only with a second factor, such as:
In short: more simplicity—but still no miracle solution.
The real answer: layered security. Ultimately, security does not rely on a single solution—no matter how advanced it may be. It relies on a structured, layered security architecture built on a relevant risk analysis. All of this must be supported by a security policy tailored to the organization’s needs.
