Updated November 3 with new reports on Passkey adoption as an alternative to MFA, with new updates to further expand adoption and address key challenges.

“Cybercriminals are gaining access to email accounts,” the FBI warned this week, even when accounts are protected by multifactor authentication (MFA). Attacks begin when users are tricked into “visiting suspicious websites or clicking on phishing links that download malicious software to their computer.”

Email access itself occurs via cookie theft. Not the evil tracking cookies we read so much about and which wreaked havoc when Google went back on its promise to remove them from Chrome. These are session cookies or security cookies or “remember me” cookies. They store login information so you don’t have to log in every time you visit a website or access one of your accounts.

ForbesGoogle issues a warning about cookie theft – but has a clever new solutionFrom Zak Doffman

The threat affects all email platforms that offer web logins, with Gmail, Outlook, Yahoo and AOL being by far the largest. The same threat clearly affects other accounts, including shopping websites and financial platforms, although additional protections are now often in place, particularly for financial accounts. MFA is not typically stored in the same way and criminals use other means to steal live codes.

“Many users across the web are falling victim to cookie-stealing malware,” Google warned, “giving attackers access to their web accounts.” While Google describes security cookies as “essential to the modern web… because of their powerful utility,” they However, calls them “a lucrative target for attackers,” and this problem is only getting worse.

“Typically, this type of cookie is generated when a user clicks the “Remember this device” checkbox when logging into a website,” the FBI explains. “If a cybercriminal obtains the Remember Me cookie from a user’s last login to their web email, they can use that cookie to log in as a user without providing their username, password, or multi-factor authentication (MFA). need.”

Cookie theft has been in the news a lot lately, and Google and others are continually working to prevent such thefts in Chrome and other browsers. These latest initiatives of this kind focus on linking cookies to devices and apps, thus rendering thefts useless. But we’re still in the early stages and cookie theft remains a major threat.

“Cybercriminals are increasingly focused on stealing Remember Me cookies and using them as a preferred method of accessing a victim’s email,” the FBI warns, but suggests four steps “to protect against putting yourself at risk:

• Regularly delete your cookies from your internet browser.
• Recognize the risks of clicking the “Remember me” checkbox when logging in to a website.
• Do not click on suspicious links or websites. Only visit websites with a secure connection (HTTPS) to prevent your data from being intercepted in transit.
• Regularly monitor your current device login history in your account settings.”

As always, if you believe you have been a victim of this or any other cybercrime, you can report it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.

The FBI’s recent warning about MFA compromises should in no way discourage users from setting up MFA on all accounts where it is available. This is the best step you can take to secure your accounts. And coupled with good management of what you download, install, click and open, it can keep you safe.

The importance of MFA is well summed up by the reaction to Amazon finally adding MFA to its business email service. “Better late than never seems to be the justification for the almost ten-year delay,” he reported TechRadar on Friday, “particularly for one of the most basic forms of identity verification that has been common practice for several years” and warned: “There are still hurdles to enabling MFA for WorkMail because it is not enabled by default and system administrators will do so.” “I need to manually add each user to the AWS Identity Center.”

ForbesWhy you should buy a new Microsoft Windows PC in 2025From Zak Doffman

The Register repeated this feeling. “The fact that a security service as simple as MFA was missing from something that so desperately needs it – a corporate email platform run by one of (if not) the largest The The largest cloud services provider in the world is frankly shocking.”

Any MFA is better than none – period. However, there is clearly a spectrum of security and not all solutions are created equal. Passkeys are best when available – they link credentials to device security, similar to a physical security key, without the hassle of using an actual physical security key. However, if you only have one SMS one-time code available, it’s better to use that than just leaving your security password every time.

The good news for users is that passkeys are at risk. According to a new report from the FIDO Alliance, “In the two years since passkeys were announced and made available to consumers, passkey awareness has increased 50%, from 39% known in 2022 to 57% known in 2024.” Passkeys are by far the simplest alternative to the username/password combination and MFA, which you should always use when available. They prevent unauthorized access to an account unless an attacker has complete control of one of your secure devices and essentially pretends to be you.

“The majority of those familiar with passkeys enable logins using the technology,” FIDA says. “Although passwords remain the most common account login method, overall usage has declined as the availability of alternatives increases.”

In addition to the security benefits of passkeys, FIDO also points out the benefits for brands and service platforms that now offer this as an option. “42% of people have abandoned a purchase at least once in the last month because they couldn’t remember their password,” it says, adding that “this number rises to 50% among 25-34 year olds, versus only 17% among those over 65,” which raises another problem.

Echoing the FBI warning, FIDO also says that “more than half of consumers reported an increase in the number of suspicious messages they are noticing and an increase in the sophistication of scams due to AI.” Younger generations are even more likely to agree , while older generations remain uncertain about how AI will impact their online security.”

FIDO’s new report shows that passkey usage is highest when linked to the ease of biometric device security. This seamless approach to securing one’s identity is the same driver for the viral rise of Apple Pay, Google Pay and other digital wallets.

While passkeys are primarily aimed at the consumer/home market, efforts are currently underway to expand this to enterprises. As 9to5mac has just reported: “The FIDO Alliance has taken a major step towards improving the usability of passkeys by introducing two new draft specifications: the Credential Exchange Protocol (CXP) and the Credential Exchange Format (CXF). These proposals are intended to address a key issue slowing enterprise passkey adoption: vendor lock-in.”

ForbesNew Microsoft Windows attacks – stop now, US government warns usersFrom Zak Doffman

These new specifications are intended to create a “standardized, secure way to transfer passkeys between different password managers without removing and re-adding them from each platform,” which is more important for businesses than for users already attached to their iPhone, Android – or password manager ecosystem.

“By standardizing the way passkeys are managed and transmitted,” 9to5mac suggests: “The new specifications will help businesses and consumers have more freedom to choose the best tools for their needs, without being tied to a single ecosystem.” Over time, this will lead to wider adoption of passkeys and “Continue to drive the move away from passwords, which are often the weakest link in personal and organizational security.”