It all starts with a compromise
It always begins with a password.
In June 2024, a procurement officer at a large local firm used the same password, Brenda@2020, across her Gmail, Zoom, and company ERP. She thought no one would care. But someone did.
A hacker running a darknet scraping tool picked it up from a 2021 data breach dump. Within hours, they were in. Not just into her Gmail. But into internal payment systems. The hacker didn’t break down a door. He walked in with a borrowed key.
This is not just about weak passwords. It’s about passwords themselves. They’ve become the single point of failure in our digital lives.
The password paradox
Passwords were invented in the 1960s. But in 2025, they’re still guarding trillion-shilling systems, despite being laughably outdated.
Here’s the paradox:
The stronger your password, the harder it is to remember.
The easier it is to remember, the easier it is to hack.
This gives rise to the three horsemen of digital doom: Re-use. Predictability. Social engineering.
You can have the best firewall, but if your HR manager is using Godisgood@123, you’re a ticking time bomb.
The phasing out of passwords: Enter passkeys
The future is passwordless.
Tech giants like Google, Apple, and Microsoft have adopted passkeys, cryptographic credentials that never leave your device. Instead of typing a password, you use your fingerprint, face, or device PIN. The secret never travels across the internet. So it can’t be phished, stolen, or brute-forced.
Think of passkeys as digital locks with no keys. Only your face or finger can open them.
But here’s the real power: zero knowledge architecture. The server doesn’t even store your credentials. No more vaults to break into. No more passwords to leak.
What makes passkeys better
- a) They’re phishing-proof
No one can trick you into “entering” a passkey. Because you don’t enter it. You just verify.
- b) They’re seamless
Log in to your banking app with Face ID? That’s a passkey in action.
- c) They’re device-bound
Your biometric data never leaves your phone. That means even if a hacker breaches the server, they get nothing.
This is a paradigm shift from “what you know” (passwords) to “what you are” (biometrics).
So why are we still stuck in 2005?
Because enterprises are slow.
In Uganda, most government systems still run on basic login forms, sometimes with no multi-factor authentication at all. Banks preach security, yet allow 4-digit PIN resets over the phone. And SMEs? They share passwords across departments like they’re sweets.
Passkeys threaten not just bad habits, but entire business models built on selling password managers, OTP tokens, and ‘user support’ services.
This change isn’t just technological. It’s cultural. And culture resists change.
A real-world case: when a bank chose wrong
Summit Consulting was called to investigate a breach at a digital-only bank in East Africa. An insider used an old employee’s credentials, still active, to access backend systems.
Why?
Because no one had enabled biometric authentication or zero-trust policies.
No device binding.
No session expiry.
Just passwords.
One compromise. UGX 1.2 billion lost. In three transactions.
A system that depended on trust and static passwords was no match for modern fraud.
The future– digital identity without friction
Imagine this:
You walk into your office. Your workstation unlocks automatically when your watch comes within 2 meters.
Your payroll system recognizes your face.
Your access to sensitive documents is time-bound and geofenced.
That’s not sci-fi. That’s passkey+contextual authentication. And it’s already here.
The future of digital identity is invisible security.
Seamless to the user.
Brutal to the attacker.
Why CEOs must care now
Passwords are not just an IT issue. They’re a boardroom risk.
Every fraud case I’ve handled in the last 18 months has had one thing in common:
Credential compromise.
Yet most leaders still rely on “change your password every 90 days” as a security policy. That’s like changing the padlock every month while leaving the door wide open.
Passkeys eliminate the human error factor.
They reduce helpdesk costs.
They improve compliance.
More importantly, they reduce fraud exposure by design.
Closing thoughts-Kill the password before it kills your company
If your organisation is still relying on passwords in 2025, you’re not behind the curve. You’re inside the breach.
As Mr Strategy, I say this with brutal clarity:
Password policies won’t save you. Passkeys will.
Make the switch.
Mandate biometric sign-ins.
Train your staff on behavioral phishing, not just “IT policy.”
And above all, never let digital identity be an afterthought.
Because identity is the new perimeter. And if your walls are weak, you won’t know you’ve been breached—until it’s too late.
Let Summit Consulting help you cross that bridge. Before someone else burns it down.
