Forget those annoying one-time text codes – passkeys are revolutionizing the way we secure our online lives!
Imagine this: You're trying to access your bank account, health insurance portal, or even your email inbox, and instead of just punching in a password, you're asked for an extra layer of verification. That's multifactor authentication (MFA) in action, a standard practice these days where you provide two or more proofs of your identity. But not all MFA methods are built the same. Those one-time passwords (OTPs) sent to your phone via text or email? They've got massive weaknesses that hackers can exploit like a gaping hole in a fortress.
Take, for instance, a series of alarming incidents uncovered by email security experts at Abnormal AI. They detailed how cybercriminals targeted academic institutions, tricking victims into handing over not just their usernames and passwords, but also the OTP codes sent by the schools' systems. This is a classic case of phishing gone wrong – or right for the bad guys. By using stolen legitimate credentials, attackers avoid the hassle of cracking complex security flaws, making identity theft their weapon of choice. In fact, Microsoft's latest Digital Defense Report highlights identity as the number one attack vector today, especially with AI making phishing up to 4.5 times more effective.
Implementing MFA is crucial for fending off these threats, but the real hero is a phishing-resistant form. As Microsoft's threat intelligence team puts it, 'Phishing-resistant MFA is the gold standard for security.' They emphasize that no matter how the cyber landscape evolves, MFA blocks over 99 percent of unauthorized access attempts, positioning it as the most vital security step any organization can take.
But here's where it gets controversial – are we really saying goodbye to the old-school methods that many still rely on?
Enter the era of passkeys, the sleek upgrade transforming authentication.
MFA options generally fall into three buckets: something you know (think passwords, codes, or security questions), something you have (like a physical token or your smartphone), or something you are (biometric features such as fingerprints or facial recognition). We've seen hardware tokens, authenticator apps, SMS or email passcodes, push notifications for login approvals on paired devices, and even biometrics.
Traditionally, authentication relied on the 'something you know' approach, where users and servers share a secret like a password. The downside? Secrets can be guessed, scribbled on sticky notes, or stored insecurely in plain files – we've all heard horror stories of ransomware victims with recovery codes exposed in plaintext.
Worse, crooks can phish these secrets through fake websites that mimic real ones, capturing usernames and passwords. For OTPs delivered via SMS or email, attackers might redirect messages before they reach you. It's like handing over the keys to your digital front door.
That's why experts are championing a shift toward passkeys – a user-friendly wrapper around certificate-based authentication. As Forrester's VP and analyst Andras Cser explained to The Register, 'one of the things that we're seeing is the whole movement away from passwords to passkeys – a certificate-based authentication wrapped in a usability shrink wrap.'
Passkeys embody what's meant by phishing-resistant MFA. They ditch passwords entirely, using cryptographic key pairs instead. The public key sits on the server, while the private key – tied to your face, fingerprints, or a PIN – stays securely on your device.
Major players like Amazon, Google, Microsoft, Apple iCloud, PayPal, and WhatsApp have fully embraced passkeys as a password alternative. Then there are security keys, such as YubiKey devices, which store X.509 certificates and demand your physical presence for authentication.
Gartner's analyst James Hoover told The Register that 'the most secure types of authentication are those classed as phishing-resistant MFA, which would be device-bound passkeys or less commonly X.509 tokens.' He points out that for FIDO2 keys, no proven way exists to steal the private key since it never leaves the device.
FIDO Alliance CEO Andrew Shikiar summed it up perfectly: 'With passkeys, we take that shared-secret model and just blow the whole model up, so there's nothing that can be shared.'
And this is the part most people miss – the convenience factor that's driving adoption.
Some passkeys are device-bound, meaning they're tied to a single gadget. But multi-device passkeys sync across your devices via managers like Google Password Manager, iCloud Keychain, or Bitwarden, letting you log in seamlessly on any of them. However, this opens the door to social engineering risks.
As Hoover noted, 'This solves the inconvenience of having to re-enroll each device, but it does potentially open you up to a level of social engineering, because I can get access to that key by convincing you to let my device onto your account.' Think Scattered-Spider tactics, where attackers gather intel from social media to impersonate employees and dupe IT support into resetting credentials.
Yet, despite these concerns, Hoover adds that synced passkeys are 'a significant step up from more commonly used password plus SMS or email OTP methods.'
Passkey adoption is skyrocketing, and it's not hard to see why.
The FIDO Alliance, launched in 2012 to tackle interoperability issues and password fatigue, brought together giants like Apple, Google, and Microsoft. They developed FIDO2 and WebAuthn standards in 2019, with Apple introducing passkeys to iOS, iPad, and Mac in September 2022.
Fast-forward three years, and Shikiar estimates over 2 billion passkeys in use. 'That's great – it's a meaningful number – and we'd like to see that grow to 5 to 10 billion, which will really cross the threshold of no turning back,' he said.
A survey by Liminal polled 200 IT pros who've deployed or plan to deploy passkeys, finding 63 percent view them as their top authentication priority for 2026. Among adopters, 85 percent are highly satisfied with the outcomes.
Digging deeper, a confidential FIDO Alliance survey of nine member companies – including Amazon, Google, LY Corporation, Mercari, Microsoft, NTT DOCOMO, PayPal, Target, and TikTok – revealed passkeys boost sign-in success by 30 percent compared to other MFA. They slash login time by 73 percent, averaging just 8.5 seconds versus 31.2 seconds for methods like email verification, SMS codes, or social logins.
For businesses, this translates to real perks. Easier access can boost revenues by reducing cart abandonment during checkout. Early users also report cost savings, with help-desk calls dropping by up to 81 percent for sign-in issues. Plus, there's no more expense on OTPs, resets, or fraud from SMS hacks, as Shikiar noted: 'Once accounts can't be taken over by remote attacks, your attacks go down and your fraud costs go down.'
Still, challenges remain that might surprise some critics.
Usability hurdles persist, particularly for passkeys locked to one OS like iOS or Windows. Transferring to another platform often needs extra tools. And as PwC's Avinash Rajeev, head of the firm's US cyber, data, and tech risk business, told The Register, 'there's always a trade off between security and ease of adoption.'
For internal users like employees, security trumps convenience, but for customers, a smooth experience wins out – sometimes at security's expense. SMS or email codes, though less secure, are simpler to roll out and grasp; everyone has an email, and waiting a few seconds for a code beats password-only logins.
'It's always a combination of both those factors,' Rajeev said. 'You have to always look at what you're trying to protect, and what you're willing to accept in terms of level of security, while making sure that the user experience is still acceptable enough for your user population.'
So, is the rise of passkeys the ultimate fix, or are we overlooking simpler options that still work for most? Do you think the trade-off between security and usability favors passkeys for everyday users, or should we stick with what we know? Share your thoughts in the comments – do you agree that passkeys are the future, or disagree that they're overhyped? Let's discuss!
