This is the year AI attacks come of age. So we were warned before 2025 began, and so it has turned out. While these include targeted attacks on individuals, which even include fraudulent support calls, nothing should be more frightening than a new video proving GenAI platforms can be prompted to carry out attacks on their own. We’re still early days on this, but when it evolves it will scale beyond anything we’ve seen before.
A quiet announcement from Microsoft has just neatly framed the problem. “To ensure you never lose access to your Microsoft account,” it said, “we will prompt you to add a secondary email or recovery phone number to your account.” This is in addition to your Microsoft email, and for the majority of users that will mean Gmail. If you lose access to your Gmail account, per new AI threats, then you can add this to the risks.
Email is a woefully archaic platform and the idea we still need “recovery emails” in 2025 that can be used to reset passwords is slightly ludicrous. While Google’s decision to replace SMS for 2FA with QR codes made headlines, the reality is that users need to move to passkeys as soon as they can.
Passkeys are not perfect — with multiple teething issues still to be worked out, but they are the best we have today. Passkeys combine your own hardware with your own biometrics, which is the closest you can get to a dedicated security key without having to carry one around. And with passkeys in place, you can delete basic passwords and 2FA, as you don’t want any form of compromisable account access to remain in place.
Adding that secondary email, Microsoft says, “will help you recover your Microsoft account if you ever forget your password or get locked out for any reason.” The problem is that attacks compromise one account and that leads to others. And email remains — unfortunately — at the center of this archaic web.
As I warned last month, with new attacks bypassing 2FA codes and exploiting literally billions of compromised passwords, it’s time to stop using passwords and basic 2FA and switch to passkeys instead. The AI attacks warnings we’ve seen since suggest you should not wait and should do this right away. The landscape is changing quickly.
We’re on the right track. The FIDO Alliance which is behind the passkey drive reports that across enterprises, “two thirds (68%) of all respondents said the deployment of passkeys is a high or critical priority in their organization.”
Ironically, Microsoft also says it wants to push passkeys across its billion-plus users and have passwords “deleted” as a result. That’s the change we need, and we need to see the same clarity from Google, Apple, Meta and the rest.
But don’t wait for Google’s Gmail 2FA upgrade to arrive. Ensure you set up a passkey now, and then with a password still in place as a backup, pick the most complex form of 2FA available to you — an authenticator app is fine, and certainly not SMS. Google says with Passkeys set, it will put more focus into safeguarding accounts against password access. It also starts with you changing your account. Do that now.
