Move beyond password managed authentication
Credential theft is still one of the prime means of attacking systems. Dictionaries of passwords are readily available (many with millions of passwords). These allow attackers to perform credential stuffing attacks – often successfully.