A few nights before heading out to RSA (one of the biggest cybersecurity conferences in the world) this week, I was grabbing coffee with a friend who isn’t in the tech world. He let out a frustrated sigh while typing a code from his phone into his laptop. He looked at me and asked a question that I think many of us feel deep down: “If my bank is so secure, why does it feel like I’m constantly jumping through hoops? How do they actually know it’s me and not some guy in a basement halfway across the world?”

At the time, I kept it brief. I told him to think of it like a digital wristband. You show your ID once, they give you a wristband, and you’re good for the night.

But as I’ve been walking the floor at RSA and having some truly excellent conversations with folks this week, that question kept echoing in my head. I realized that “it’s a wristband” is a good start, but it doesn’t quite capture the reality of the world we are living in right now. If the current state of security feels confusing or even a little bit scary, you aren’t wrong to feel that way.

The Internet’s Memory Problem

The reason we have these “wristbands” (which we call session cookies) is because the internet has no short-term memory. Every single time you click a new page, the website immediately forgets who you are.

Imagine if you had to re-verify your password and enter a new multi-factor authentication code (that six-digit text you get on your phone) for every single click on your bank’s website. It would be impossible to use. We need those session cookies because they act as the proof that you’ve already checked in. The wristband is what lets you move through the venue without getting stopped at every door.

The Evolution of the Counterfeit

The reason I’ve been thinking so much about my friend’s question during my time at RSA is that the “wristband” isn’t as safe as it used to be. In the past, a hacker had to find a way to copy your wristband and use it from somewhere else. But because they’d be scanning it from a different entrance, on a different device, from a completely different location, it was usually obvious that something was off. The venue could say “this wristband was just scanned on the other side of town, something isn’t right.” Today, that’s not how it works anymore. Malicious software (the kind that gets onto your device without you ever knowing) sits quietly in the background and takes control, like an invisible hand reaching over your shoulder and moving the mouse for you. It doesn’t copy the wristband and take it somewhere else. It uses your wristband, from your entrance, while you’re still wearing it. You’re sitting at your computer, going about your day, and something else is quietly making requests to your bank in another tab. To the bank, everything looks completely normal. That’s an unsettling thing to sit with, knowing that even when you do everything right, something can still reach through your own hands and use the wristband while it’s on your wrist.

The Part That Changed

Even with all of that, there used to be a tell. These attacks felt mechanical. You could usually spot the bad actor because their behavior didn’t quite fit the mold. They moved too fast, clicked in the wrong order, or came from a location that made no sense. There were patterns you could catch if you were paying attention. The puppet might have been wearing the right wristband, but it still moved like a puppet.

That’s not the world we’re in anymore. The same AI tools that are helping companies build smarter products are also helping attackers build smarter attacks. They can study and mimic the way you move your mouse, the speed at which you type, and the way you navigate a site. What used to take a team of skilled hackers weeks to pull off can now be automated and scaled in ways that weren’t possible even two years ago. The puppet doesn’t just have the right wristband anymore. It walks, talks, and moves through the venue exactly like you would.

Where We Go From Here

So, how do we protect ourselves when the wristband never leaves our wrist but someone else is still using it?

From the many conversations I’ve had this week, it’s clear that the answer isn’t just a bigger lock on the front door. The bouncer checking wristbands at the entrance isn’t enough anymore. You need someone watching the dance floor too, paying attention to how people move through the venue once they’re inside. If someone with the right wristband starts acting in a way that doesn’t match how the real person usually behaves, the system needs to be smart enough to notice. And increasingly, AI is on both sides of that equation. The same technology making the puppets harder to spot is also what gives the people watching the dance floor a shot at catching them.

And this is where session cookies sit at the center of all of it. Think about it this way: the wristband is the one thing that lets you move freely through the entire venue. Every door, every room, every transaction. If someone can use your wristband without taking it off your wrist, they don’t need your password. They don’t need your six-digit code. They don’t need anything. The wristband is the identity. So right now, the biggest challenge is a simple one: is the person using that wristband actually you?

The next time you’re typing in that six-digit code and quietly rolling your eyes, I get it. My friend at the coffee shop felt the same way. But consider this: that little prompt exists because the system still has a moment where it isn’t sure you’re actually you. It’s the bouncer tapping you on the shoulder in the middle of the venue and asking to see your ID one more time. The day it stops asking is the day it either trusts every wristband completely, or it’s given up trying to tell the real guests from the puppets. I’m not sure which one is scarier.