The password era is overgettyYour password is not safe with billions of compromised passwords now fueling cybercrime, putting both individuals and businesses at risk. And a new 2FA warning that codes can be bypassed or stolen, with device hacks and malware capturing login credentials, tokens, and session cookies in real time, effectively bypassing 2FA. This alarming new 2FA attack significantly raises the bar, rendering conventional phishing methods and their inherent security measures largely ineffective.The U.S. government has warned Americans to stop using SMS for 2FA, and we have just seen news that Google is now vanquishing SMS for its billions of Gmail users, albeit its reported QR code alternative is arguably misjudged. SMS 2FA codes are used in tandem with usernames and passwords that combination needs to end. Its not enough to add more security to your account, you need to delete the old as well.This campaign to replace the old with something new is accelerating as the threat landscape gets ever worse. In the last 24-hours alone, we have seen a new report from Cofense into sophisticated new phishing campaigns targeting Americans during tax season and Fortinet warning of new lures impersonating government messages. This comes shortly after a new warning that even email signatures are now under attack.Microsoft has come forwards with the best advice for its users and this applies across the board. The password era is ending, it says, and because bad actors know it, theyre desperately accelerating password-related attacks while they still can. This starts with email, especially Gmail and Outlook, because most attacks start with phishing and these are the access-all account credentials that are most prized.Microsoft is running a campaign to delete passwords, with attacks doubling from a year ago. Weve never had a better solution to these pervasive attacks passkeys. But if users enable passkeys but leave passwords and basic 2FA in place, the account is still at risk for phishing, it warns. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.And thats the lesson from all the recent warnings, from the worsening of this threat landscape. Passkeys are not perfect, but theyre much better and improving all the time. Relying on your secure, trusted device access to credentialize you is better than any combination of passwords and codes that can be bypassed or intercepted.The FIDO Alliance which is shaping and driving passkey adoption reached out to me this week with the news that 87% of enterprises in the U.S. and U.K. have implemented or are in the process of rolling out passkeys, warning that with AI-driven cyber threats on the rise, companies are prioritizing passkeys to enhance security, improve employees user experience, and meet compliance requirements.But again, adopting passkeys is half the story, deleting passwords is the other, harder half. As Microsoft admits, even if we get our more than one billion users to enroll and use passkeys, it wont solve the problem if passwords arent deleted as well.The advice is simple. Set up passkeys on all accounts where that is an option. And disable SMS 2FA to ensure that your passkey is the only means of assuring access. If you have a stronger authentication measure in place, such as a physical key or authenticator app, then thats clearly good as well they do the same thing.To be more specific you should not have any accounts without 2FA/MFA enabled, do not use platforms or services that dont offer this. And you should identify your most sensitive accounts and services and ensure authentication is not just SMS-based.Microsoft says that millions of users have deleted their passwords, albeit it needs that number to reach a billion before its job done. Id like to see the same simplicity from Google as well, as these are the two companies with the biggest phished user bases.