Episode Details

Passwords don’t fail because users are careless. They fail because the system itself is broken. Phishing, credential stuffing, and constant resets prove we’ve been leaning on a weak foundation for decades. The fix already exists, and most people don’t realize it’s ready to use right now. In this session, I’ll show you how passkeys and WebAuthn let devices you already own become your most secure login method. You’ll get a clear overview of how passkeys work, a practical ASP.NET Core checklist for implementation, and reasons business leaders should care. Before we start, decide in the next five seconds—are you the engineer who will set this up, or the leader who needs to drive adoption? Stick around, because both roles will find takeaways here. And to see why this matters so much, let’s look at the real cost of relying on passwords.The Cost of Broken PasswordsSo why do so many breaches still begin with nothing more than a weak or stolen password, even after organizations pour millions into security tools? Firewalls grow stronger, monitoring gets smarter, and threat feeds pile higher, yet attackers often don’t need advanced exploits. They walk through the easiest entry point—the password—and once inside, everything downstream is suddenly vulnerable. Most businesses focus resources on layered defenses: endpoint protection, email filtering, threat hunting platforms. All valuable, but none of it helps when an employee recycles a password or shares access in a hurry. A single reused credential can quietly undo investments that took months to implement. Human memory was never meant to carry dozens of complex, unique logins at scale. Expecting discipline from users in this environment isn’t realistic—it’s evidence of a foundation that no longer matches the size of the problem. Here’s a common real-world scenario. An overworked Microsoft 365 administrator falls for a well-crafted phishing login page. The attacker didn’t need to exploit a zero-day or bypass expensive controls—they just captured those credentials. Within hours, sensitive files leak from Teams channels, shared mailboxes are exposed, and IT staff are dragged into long recovery efforts. All of it triggered by one compromised password. That single point of failure shows how quickly trust in a platform can erode. When you zoom out to entire industries, the trend becomes even clearer. Many ransomware campaigns still begin with nothing more than stolen credentials. Attackers don’t require insider knowledge or nation-state resources. They just need a population of users conditioned to type in passwords whenever prompted. Once authenticated, lateral movement and privilege escalation aren’t particularly difficult. In many cases, a breached account is enough to open doors far beyond what that single user ever should have controlled. To compensate, organizations often lean on stricter policies: longer password requirements, special characters, mandatory rotations every few months. On paper, it looks like progress. But in reality, users follow patterns, flip through predictable variations, or write things down to keep track. This cycle doesn’t meaningfully shrink the attack surface—it just spreads fatigue and irritation across the workforce. And those policies generate another hidden cost: password resets. Every helpdesk knows the routine. Employees lock themselves out, reset flows stall, identities must be verified over the phone, accounts re-enabled. Each request pulls time from staff and halts productivity for the worker who just wanted to open an app. The cost of a single reset may only be measured in tens of dollars, but scaled across hundreds or thousands of employees, the interruptions compound into lost hours and serious expense. The impact doesn’t stop with IT. For business leaders, persistent credential headaches drain productivity and morale. Projects slow while accounts get unlocked. Phishing attempts lead to compliance risks and potential reputation damage. Mandatory rese