Your Phone Is About to Buzz With a Fake Login — Here's What to Do

Imagine your boss's company switches to a brand-new, "unhackable" front door. Great news — except nobody told the staff that thieves are now going around to the back window. That's more or less what's happening right now in government cybersecurity, and it's about to matter to you personally.

This week, a company called Keytos announced a partnership with Carahsoft — a major tech reseller for government agencies — to bring passwordless identity tools to federal, state, and local government workers. If you work in or around government, or your employer is watching what the feds do (spoiler: most employers are), this is coming to your workplace. The password you've been protecting for years? It's being retired. What replaces it is smarter. But it also teaches criminals a new trick, and most people have zero idea what to watch for.

Why Passwords Are Getting Fired

Passwords have one catastrophic flaw: they can be stolen without you ever knowing. You type your password into what looks like your bank's website. Turns out it was a fake copy. Criminals walk away with your credentials. You find out three weeks later when something goes wrong.

The federal government has been quietly pushing agencies away from this model for years. An executive order signed in 2021 pushed agencies toward something called "zero trust" — which basically means "don't assume anyone is who they say they are, even inside your own systems." As part of that shift, government IT teams have been told to adopt phishing-resistant authentication (login methods that can't be tricked by fake websites) wherever possible.

What Keytos and Carahsoft are rolling out is based on digital certificates — think of them like a high-security, government-issued ID card stored inside your device or on a physical token. When you log in, your device proves its identity using encrypted math that can't be faked or forwarded to a criminal's server. No password to steal. No secret code to intercept. The login either works on your registered device, or it flat-out doesn't work at all.

According to the GlobeNewswire press release, the partnership is designed to bring a "comprehensive suite of passwordless identity solutions to the public sector" — covering the full range of government workers who currently log into sensitive systems with the same basic password infrastructure the rest of us use. This article is part of a series — start with Deepfake Sextortion Teens Family Safety Guide.

That's genuinely good news. Stolen passwords are behind an almost embarrassing percentage of data breaches. Getting rid of them reduces a huge category of risk overnight.

Here's the catch.

The New Weak Spot Is You Hitting "Approve"

Criminals are not sitting around waiting to go out of business. When one door closes, they find another. And right now, while most workplaces still use the push notification version of two-step login — that's the "Tap to approve this login" popup on your phone — there's an attack spreading fast that you really need to know about.

It's called MFA prompt bombing (MFA stands for multi-factor authentication — basically, the two-step check where you approve a login from your phone in addition to entering a password). The attack is brutally simple: a criminal who has your username and password just hits "login" over and over again. Your phone gets flooded with "Did you just try to log in?" notifications. Most people, confused or frustrated, eventually just tap "Approve" to make it stop. At that point, the criminal is in.

That number should stop you cold. Over 340 organizations — in five weeks — not because people gave up their passwords, but because the approval process itself was exploited. A phishing platform tracked by security researchers at WorkOS called EvilTokens pulled this off at scale across Microsoft 365 accounts, intercepting the digital keys that get issued after someone successfully logs in — meaning the two-step check had already happened, completely legitimately, and the criminal still walked away with access.

Let that sink in. The person clicked the right buttons on the real website. Entered their real password. Got the real "approve this login" prompt and approved it. And still got compromised. Not because they did anything obviously wrong. Because the attack happened after the login, not during it.

"Push notifications remain the weakest common form of MFA, while phishing-resistant factors such as FIDO2 security keys and hardware tokens are harder to abuse." — Expert analysis, The Hacker News, May 2026

This is the security industry's open secret right now. The phone-tap-to-approve system that billions of people use every day is the next big target. Certificate-based passwordless systems like what Keytos is rolling out for government agencies are far more resistant to this — but most of us aren't on those systems yet. We're in the messy middle. Previously in this series: Fingerprint Face Iris Palm 4 Things Biometric Scan Really Me.

The Transition Period Is Where You're Most Vulnerable

Here's something the tech press isn't saying clearly enough: the most dangerous moment isn't before an upgrade or after. It's during.

When agencies shift to passwordless systems, they often run old and new systems side by side for months — sometimes years. An employee might use a certificate-based login for one government database and still use a password-plus-push-notification for email or a benefits portal. Criminals know this. They look for the weakest door in a building that just got expensive new locks on the front.

There's another attack that's quietly exploding, and it doesn't need your password at all. It's called OAuth consent phishing — OAuth is the technology behind "Log in with Google" or "Log in with Apple" buttons. A criminal sends you to a page that looks completely legitimate. You log in on the real platform. Your two-step check runs perfectly. Then a screen pops up asking you to grant some app permission to access your account. You click "Allow." The criminal now has a digital token — essentially a signed permission slip from your own account — that lets them access your data for days or weeks, authenticated by the real system, completely invisible to most security filters.

No stolen password. No fake website. No red flags. Just you clicking a button that looked reasonable at the time. According to research published by ATTACK Simulator, this category of attack is accelerating in 2026 precisely because most users have been trained to watch for password theft — not for "what did I just give permission to?"

What You Can Actually Do Right Now

The good news: there are a few habits that apply whether your workplace has gone passwordless or not. None of them require you to understand cryptography.

Rule one: You should almost never receive a login approval notification you didn't trigger yourself. If your phone buzzes asking you to approve a login and you're not actively logging into something, that's a red flag. Deny it every time. If it keeps happening, someone has your password and is actively trying to get in — change your password immediately and call your IT department. Up next: Your Kids School Photo Is All A Blackmailer Needs Now.

Rule two: Read "permission" screens before clicking Allow. When a screen asks an app for access to your email, files, or contacts, that's not a formality. That's a contract. Ask yourself: did I request this app? Does it actually need access to my email? If the answer to either is "I'm not sure," click away.

Rule three: Treat account-recovery emails like a stranger at your door. If you get an email saying your account needs verification and you didn't request it, go directly to the website by typing the address yourself — not by clicking the link in the email. Legitimate services will show the same alert inside your actual account if it's real.

And here's the CaraComp angle: if you've ever gotten a suspicious message that seemed to know your name, your employer, or your email address — and wondered whether someone was impersonating you or targeting you specifically — that's exactly the kind of question that identity-verification tools exist to answer. Knowing whether a person, a profile, or a contact is who they claim to be isn't paranoia. It's just the right question to ask in 2026.

The Biometric Update story about Keytos and Carahsoft is a small headline in a niche trade publication. But what it signals is real: the way we prove who we are online is changing at the institutional level, and that change is trickling toward every workplace, benefits portal, and bank login you use. The technology is getting stronger. The attacks are getting more creative. The gap in between — right now, this year — is where most people get caught.

So here's the question worth sitting with: if your workplace removed passwords tomorrow and asked you to approve a digital login from your phone instead, would you know what a fake approval request looks like? Because the criminals are already betting you don't.