Aflac, a leading US insurance provider, became the first major insurance company to adopt **passkeys** as part of its passwordless authentication strategy. While the transition significantly improved security—reducing password recovery requests by **32%** and eliminating **30,000 identity-related support calls monthly**—the article highlights broader industry risks tied to **stolen credentials**, which remain a dominant attack vector. Verizon’s 2025 Data Breach Investigations Report reveals that **88% of breaches** involve compromised credentials, often obtained via **phishing, brute force, or credential stuffing**. The shift to passkeys mitigates such risks by eliminating password-based vulnerabilities, but the article implies that **legacy systems, hybrid authentication models, or incomplete adoption** could still expose Aflac to residual threats. For instance, if passkey implementation faces **device dependency issues, compatibility gaps with older systems, or user resistance**, attackers might exploit fallback password mechanisms or unpatched vulnerabilities in transitional infrastructure. While Aflac’s proactive move reduces attack surfaces, the **potential for credential-theft-driven breaches** persists in hybrid environments, particularly if employees or third-party vendors rely on traditional authentication for certain services.
TPRM report: https://www.rankiteo.com/company/aflac
"id": "afl4392343092525",
"linkid": "aflac",
"type": "Breach",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'All new user accounts '
'(passwordless by default since '
'May 2025)',
'industry': 'Software and Cloud Services',
'location': 'Redmond, Washington, USA',
'name': 'Microsoft',
'size': 'Large (Global Enterprise)',
'type': 'Technology Corporation'},
{'industry': 'Insurance and Financial Services',
'location': 'Columbus, Georgia, USA',
'name': 'Aflac',
'size': 'Large (Major US Insurance Company)',
'type': 'Insurance Provider'}],
'customer_advisories': ['Users are encouraged to adopt passkeys where '
'available for improved security and convenience.',
'Customers of organizations transitioning to passkeys '
'should follow provided guidelines for setup and '
'recovery processes.'],
'date_publicly_disclosed': '2025-05-01',
'description': 'The article discusses the shift from traditional '
'password-based authentication to passkeys, a passwordless '
'authentication method based on public key cryptography. It '
'highlights the security advantages of passkeys, such as '
'resistance to phishing, brute force, and credential stuffing '
'attacks, as well as their convenience for users. Major '
'companies like Microsoft and Aflac have adopted passkeys, '
'reporting significant improvements in login success rates and '
'reductions in support costs. However, challenges such as '
'device dependency, setup complexity, legacy system '
'compatibility, and user education remain barriers to '
'widespread adoption. The article also emphasizes the '
'continued importance of securing passwords in hybrid '
'environments where they are still used as fallbacks.',
'impact': {'brand_reputation_impact': ['Positive perception of enhanced '
'security measures'],
'identity_theft_risk': ['Reduced due to elimination of '
'password-based vulnerabilities'],
'operational_impact': ['Reduction in Password Recovery Requests '
'(32% drop for Aflac)',
'Decrease in Identity-Related Support Calls '
'(~30,000 fewer calls monthly for Aflac)']},
'investigation_status': 'Ongoing industry-wide adoption and analysis',
'lessons_learned': ['Passkeys significantly reduce vulnerabilities associated '
'with traditional passwords (e.g., phishing, brute force, '
'credential stuffing).',
'User convenience and security can coexist with passkeys, '
'leading to higher adoption rates and fewer support '
'issues.',
'Hybrid authentication models are necessary during the '
'transition period to accommodate legacy systems and user '
'familiarity.',
'Investment in user education and infrastructure updates '
'is critical for successful passkey implementation.'],
'motivation': ['Improving Security Posture',
'Reducing Support Costs',
'Enhancing User Experience'],
'post_incident_analysis': {'corrective_actions': ['Implementation of passkeys '
'as a primary '
'authentication method to '
'eliminate password-related '
'vulnerabilities.',
'Gradual phase-out of '
'passwords in favor of more '
'secure, user-friendly '
'alternatives like '
'passkeys.',
'Investment in user '
'education to facilitate '
'smooth adoption of '
'passwordless '
'authentication.'],
'root_causes': ['Over-reliance on traditional '
'password-based authentication, '
'which is vulnerable to phishing, '
'brute force, and credential '
'stuffing attacks.',
'High operational costs and '
'inefficiencies associated with '
'password recovery and support.']},
'recommendations': ['Organizations should evaluate passkey adoption to '
'enhance security and reduce operational costs associated '
'with password management.',
'For environments still relying on passwords, enforce '
'strong password policies (e.g., using tools like Specops '
'Password Policy) to mitigate risks.',
'Plan for a phased transition to passkeys, including user '
'training and compatibility assessments for legacy '
'systems.',
'Monitor industry trends and FIDO Alliance updates to '
'stay informed about advancements in passwordless '
'authentication.'],
'references': [{'source': 'Verizon 2025 Data Breach Investigations Report'},
{'source': 'FIDO Alliance Research on Passkey Adoption'},
{'source': 'Microsoft Announcement on Passwordless by Default '
'(May 2025)'},
{'source': 'Aflac Case Study on Passkey Implementation'},
{'source': 'Specops Software Article on Passkeys and Password '
'Security',
'url': 'https://www.specopssoft.com/'}],
'response': {'communication_strategy': ['Public announcements by Microsoft '
'and Aflac',
'Educational campaigns on passkey '
'benefits'],
'remediation_measures': ['Adoption of passkeys for '
'authentication',
'Hybrid models for legacy system '
'compatibility'],
'third_party_assistance': ['FIDO Alliance (Standards and '
'Advocacy)']},
'stakeholder_advisories': ['Organizations are advised to assess the '
'feasibility of passkey integration based on their '
'infrastructure and user base.',
'IT and security teams should prepare for hybrid '
'authentication environments during the transition '
'period.'],
'title': 'Transition to Passwordless Authentication with Passkeys and '
'Security Implications',
'type': ['Authentication Security Improvement',
'Cybersecurity Trend Analysis'],
'vulnerability_exploited': ['Weak or Stolen Passwords',
'Phishing',
'Brute Force Attacks',
'Credential Stuffing']}