Why human-centred authentication will enhance cyber resilience

The rising tide of sophisticated social engineering, phishing and insider threats highlights a glaring vulnerability for many organisations: the human user. This is because human error is the top cause of stolen login credentials from phishing attacks. Threats like AI don't care who you are and don't know your intentions, which makes it difficult to distinguish between an authorised admin and a malicious actor using stolen credentials. To address these challenges, taking advantage of the human element as a security measure rather than a flaw to create human-centred strong authentication is emerging as a way to achieve cyber resilience and phishing resistance.

Rather than designing security systems that people struggle to use, the future lies in making secure behaviours the path of least resistance. Phishing-resistant passkey authentication, such as physical security keys like YubiKeys, offers a powerful way to reduce complexity for users while increasing protection for organisations. This approach enhances cyber resilience, not just by preventing breaches, but by encouraging a more engaged and security-conscious workforce.

From technology-centric to human-centric security

One of the biggest cybersecurity risks continues to be human error. Whether it is a weak password reused across accounts or an accidental click on a phishing email, people remain the weakest link in cyber defences. As organisations push for stronger authentication, many have adopted legacy MFA methods that – while more secure than passwords alone – are less secure than modern MFA and often cumbersome for users.

This challenge has led to a growing phenomenon known as MFA fatigue, when users become overwhelmed or annoyed by repeated authentication prompts, leading them to approve login attempts without scrutiny or to disengage entirely from secure behaviours. Attackers are increasingly exploiting this fatigue by bombarding users with push notifications, hoping they will eventually approve an illegitimate access request.

Robust authentication that is human-centred shifts the focus from purely technological controls to how individuals interact with systems. This means recognising that humans are not perfect – it's easy to forget passwords, click suspicious links and try to circumvent systems that slow them down.

Additionally, complex or poorly designed authentication measures lead users to adopt insecure workarounds. Sticky notes with passwords under keyboards are a symptom of bad security design, not bad users. That is not laziness; it is human nature.

The key is to design security that is simple and intuitive from the start, which makes being human an advantage against security threats. Security keys eliminate the need for memorisation, reduce the chance of phishing success and do not require additional steps for the user. They simplify login processes, eliminate passwords and remove the need for SMS-based one-time codes that can be intercepted or spoofed.

Authentication that works with, not against, human behaviour reduces the risk of error and enables more resilient defences. It is a practical example of security by design: usable, reliable and hard to get wrong.

Building cyber resilience with human-centred authentication

Cyber resilience depends on timely detection and response, and humans remain critical for flagging unusual behaviour and preventing incidents from escalating. When employees are trained and engaged, they become an extension of the security team. Their intuition, curiosity and awareness can complement monitoring tools. A user who feels confident in their role and supported by usable security tools is far more likely to report a suspicious login attempt or escalate an anomaly quickly.

Embedding security into the fabric of everyday work begins with shifting mindsets. When users are treated as liabilities, they disengage. When they are empowered and equipped, they become defenders. Human-centred authentication is part of building that culture.

This shift also makes it easier to maintain a culture of vigilance. When security is seen as part of the job, not an IT burden, behaviours change. From recognising phishing to reporting anomalies, people play a more active role in reducing risk.

By shifting towards human-centred strong authentication focused on the user, such as device-bound passkeys like hardware security keys, organisations are not just reducing friction; they are building resilience. This means protecting identities at the point of access, empowering users to be active defenders and embedding security into culture and behaviour, not just technology.

Security keys represent a powerful example of this approach. They are phishing-resistant, portable and intuitive and they protect against today's most dangerous threats without overburdening users.

Ultimately, cyber resilience is not just about what cybersecurity systems an organisation has in place; It is about how people use them. That begins with designing security that fits humans and not the other way around.