Share in shareholders & investors

Your memory cannot protect your digital identity

Picture of Javier Ocaña

Javier Ocaña Olivares Follow

Reading time: 9 min

For years, everyone told you: “Create a strong password”.

For years, everyone told you: “Create a strong password”. Three sentences later, you were already caught up in the ritual: a capital letter, a number, a symbol, changing it every so often… and that was that.

Today, in 2026, that script no longer fits with what’s happening out there in the ‘digital world’. The security of your password no longer depends on whether it contains an ‘@’ or an ‘!’. Why do we continue to entrust the security of our digital identity to something that relies on human memory, and therefore on predictable patterns and secrets that end up being reused?

The problem isn’t “people”. It’s the design of the system

For a long time, access security was treated as a test of “self-discipline”. If your password was weak, it was your fault. If you reused it, that was your fault too. If you forgot it… even worse.

The problem is that this logic assumes a human behaviour that does not exist at scale: it is impossible to ask people to memorise hundreds of long, complicated passwords without making mistakes or reusing them; our brains simply do not work that way.

In practice, memory does not scale. Memory repeats. Memory simplifies. And when it comes to credentials, that is not a minor detail: it is an attack surface.

Memorising passwords puts you at a disadvantage. The Verizon DBIR 2025 sums it up with real incident data: credential abuse remains one of the main initial vectors (for example, its public report highlights “credential abuse (22%)” as a relevant initial vector).

NIST Rev. 4 (2025) no longer talks only about passwords: it talks about ‘end-to-end’ digital identity

In July 2025, NIST (National Institute of Standards and Technology) published the comprehensive SP 800-63 Revision 4. It is a suite comprising four final documents, which includes the following four documents:

  • SP 800‑63‑4: General framework for identity systems.
  • SP 800‑63A‑4: Identity verification and registration.
  • SP 800-63B-4: Authentication (the “how you log in”).
  • SP 800-63C-4: Federation (how you share your identity across services).

And what changes in practice? That the standard now describes access as a complete system: identity, registration, authentication, management, federation… and their associated risks.

A very specific example (and very 2026): NIST incorporates the concept of “subscriber-controlled wallets” into the federation model. In other words, it already envisages workflows where a user’s “wallet” participates in the delivery of attributes/assertions to the service.

Imagine you have a digital wallet on your mobile, just as you have an app for paying by card.

One day you need to prove your identity to hire a car online.

Instead of uploading photos of your ID card or filling in forms over and over again, your digital wallet automatically sends the service the data it needs (for example, that you are of legal age and your name), already verified.

You simply accept with a tap.

No paperwork, no repeating data and no tedious checks.

The change you’ll notice most: SMS codes are now classified as a “restricted” method according to NIST

In the final version of NIST SP 800-63B-4 (July 2025), it is stated that using SMS or phone calls to send verification codes is no longer considered a fully trusted method. From that point onwards, it is classified as “restricted”.

What does this mean in practice?

  1. If a company continues to use SMS, it should offer another, more secure form of authentication for any user who needs it.
  2. Furthermore, before sending a code via SMS, you must check for risk indicators, such as:
    • whether the user’s SIM card has changed,
    • whether the number has been ported,
    • whether the device has been recently replaced.

In short: simply saying “enable 2FA” is no longer enough.

What matters now is what type of 2FA is used, because not all methods offer the same level of security.

If you can remember it easily… it probably has a pattern

Not all “memorable” passwords are bad.

But in an ecosystem with hundreds of services, automated attacks and phishing campaigns, memorability often comes with human logic: dates, familiar words, obvious substitutions, repeated patterns.

That is precisely what is now exploited on a massive scale in every attack. The sensible change does not lie in “thinking up better” passwords, but in reducing the scope where passwords reign:

  • a single master key that is truly worth protecting carefully;
  • a password manager to generate and store long, unique credentials;
  • and passkeys wherever they are already available.

Passkeys: the industry is pushing them, and the web standard is maturing

When it comes to passkeys, it is best to be precise rather than grandiose: there is no longer any need to say “everyone is already using them” to acknowledge their growing value as a method for managing individual personal keys.

There are two very clear (and verifiable) signs in recent months:

  1. W3C published WebAuthn Level 3 as a Candidate Recommendation Snapshot on 13 January 2026, a milestone in the maturity of the web standard underpinning much of the modern implementation of public-key credentials on the web.
  2. The FIDO Alliance launched the Passkey Index (October 2025), focusing on aggregated adoption/usage data and impact metrics from multiple major providers (according to its own description of the index and the associated PDF report).

And at the platform level: Microsoft publicly reinforced its push for passwordless experiences using passkeys (May 2025) and later announced native support for “passkey managers” in Windows 11 (available with the November 2025 update) to integrate with passkey managers.

This is not just a fad. This is an operational transition.

Not all 2FA is the same. Is your security truly resistant to phishing?

By now, we all know that a single password isn’t enough. But there’s a truth that the NIST (the leading authority on standards) has just put in black and white: not all second security steps are the same. If you thought that a text message or an “Accept” button on your mobile meant you were completely safe, you might be mistaken.

The end of ‘Accept/Reject’ through exhaustion

Have you ever received a notification on your mobile to log into an account when you haven’t even tried to do so? That’s what experts call ‘authentication fatigue’. Attackers bombard users with alerts until, by mistake or sheer exhaustion, someone taps ‘Accept’.

NIST warns that these methods are not resistant to phishing because there is no actual exchange of a technical ‘secret’. That is why organisations such as OWASP no longer beat about the bush: they recommend making the switch to FIDO2 and WebAuthn, systems that can withstand a direct attack.

From theory to practice: the USDA case

This isn’t just theory for experts. The CISA (the US cybersecurity agency) has just published a real-life success story on how the Department of Agriculture (USDA) has implemented these phishing-resistant methods. If such a huge and complex organisation can do it, the “path is clear” for the rest.

The litmus test. What happens if you lose your mobile tomorrow?

This is the ultimate test to find out whether your security is robust or just appears to be. Imagine this scenario: you lose your mobile, your laptop breaks, and you can’t find your physical key. Is regaining access chaos, or do you have a plan?

If the answer is chaos, your security architecture has cracks. NIST now looks not only at how you log into your account, but at the entire “lifecycle”:

  • Mandatory alternatives: if you use traditional methods, you must always offer a secure fallback option.
  • Binding processes: what happens and how your identity is verified when you change your phone number or device.

What really changes in 2026: the password is no longer the focus (and Europe puts the wallet on the agenda)

In Europe, the message already has a deadline: the European Commission states that each Member State will offer at least one version of the EU Digital Identity Wallet “by 2026” (and on its “European Digital Identity” page, it mentions availability for citizens/residents/businesses “by the end of 2026”).

This does not mean that “everyone will be ready at the same time”, but it does set the desired direction: more interoperable digital identity, more controls, less reliance on weak mechanisms.

ENISA (European Union Agency for Cybersecurity), meanwhile, is publishing technical guidance on implementing risk management measures under NIS2 (with mappings and practical implementation examples).

The ‘elephant’ in the room: when AI impersonates you

It is no longer science fiction or a prediction of the future: fraud based on AI and deepfakes is the major challenge for digital identity in 2026. The technology for impersonating faces and voices has matured so much that the rules of the game have had to change completely.

Here we outline the four pillars defining this new era of digital trust:

NIST: AI-proof identity

The global benchmark for standards, NIST, has updated its renowned guide (Rev. 4) with a clear objective: to respond to modern threats. It is no longer enough to protect “who you are”, but to verify that you are a real human and not a simulation generated by algorithms.

ENISA: phishing now has ‘superpowers’

In its latest threat report (Threat Landscape 2025), the European agency ENISA confirms what many of us feared: AI is the driving force behind new attacks. Phishing is no longer about emails with spelling mistakes; it is now hyper-personalised and ultra-convincing campaigns powered by artificial intelligence.

C2PA: the ‘passport’ for content

How can you tell if a video is real or a deepfake? This is where the C2PA (v2.3) standard comes into play. It is a ‘provenance’ technology that allows the origin and history of any digital file to be certified. It essentially involves stamping the pixels with a seal of authenticity so you know where they come from and whether they have been tampered with.

Europe and transparency (AI Act)

The European Union has taken a step forward with the AI Act. The new regulations (specifically Article 50) require companies to be transparent: if content has been generated or manipulated by AI, it must carry a clear label. Detection and labelling are no longer optional; they are the law.

Conclusion

Human memory serves many purposes. But it cannot single-handedly underpin digital security.

In 2026, properly protecting your digital identity means designing around that limitation: fewer secrets to memorise, more unique credentials, more secure automation and more phishing-resistant authentication.

Today, the important question is not whether your password is “good”, but how much of your security still depends on something that can be stolen, reused or spoofed.

A properly configured password manager is no longer “advanced”: it is the foundation of your security.

And passkeys are no longer a novelty: they are the way forward.

Share it on your social networks

#

Word of the week

ICT

Most read in the last week :: TOP 5

Advantages and disadvantages of ICT in education
  1. 7 advantages and disadvantages of ICTs in education  
    Telefónica's photography
  2. Technology and the environment: a battle between harm and benefit
    Yanina Chalup's photography
  3. 9 technological inventions that have changed the world 
    Telefónica's photography
  4. At Telefónica, we reinforce our commitment to gender equality and diversity on Inte...
    Marta Machicot's photography
  5. ClaudIA: Integrating Cloud + AI to achieve autonomy in software management processes
    Jorge Luis Veramendi Salazar's photography

Related Content

Communication

Contact our communication department or requests additional material.