Whether you’re logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.

For example, email security shop Abornormal AI documented a recent series of incidents at academic institutions where attackers were able to phish victims into not only entering their usernames and passwords but also the one-time password (OTP) they received from the schools’ servers.

Using someone’s legitimate account credentials is a much more effective avenue for crims than finding a security hole to exploit. Microsoft’s latest Digital Defense Report puts identity as the top attack vector.

Using MFA of any kind is the main way to stave off identity attacks, but what you really want is a method that can stand up to phishing.

“Phishing-resistant MFA is the gold standard for security,” according to Microsoft’s threat intel team. “No matter how much the cyber threat landscape changes, multifactor authentication still blocks over 99 percent of unauthorized access attempts, making it the single most important security measure an organization can implement.”

The rise of passkeys

MFA methods typically fall into three categories: Something you know (a password, code, or security question), something you have (like a token or a smartphone), or something you are (like fingerprints or facial scans). They include hardware tokens, authenticator apps, passcodes sent via SMS or email, push notifications to approve a login on a connected device, and biometrics using physical traits to verify a person’s identity.

Historically, authentication used the “something you know” model, where two parties – a user and a server, or two devices – prove their identity by both knowing a secret like a password or code. The problem here is that someone can guess your secrets, or maybe you put it on a sticky note or in a plaintext file on your desktop.

Criminals can also phish these secrets via phony websites that prompt users to enter their username and password, and intercept one-time passwords (OTP) sent via SMS or email by redirecting the messages before they reach the intended recipient. 

“So one of the things that we’re seeing is the whole movement away from passwords to passkeys – a certificate-based authentication wrapped in a usability shrink wrap,” Forrester VP and analyst Andras Cser told The Register.

Passkeys are typically what security folks mean when they say “phishing-resistant MFA.” They replace passwords, and instead use cryptographic key pairs with the public key stored on the server and the private key – such as the user’s face, fingerprints, or PIN – stored on the user’s device.

Dozens of major websites including Amazon, Google, Microsoft, Apple iCloud, PayPal and WhatsApp have already implemented passkeys as a full alternative to passwords.

Security keys (often under the brand name Yubikey), physical hardware devices that store X.509 certificates, also fall into this phishing-resistant MFA category, as they require a user’s physical presence to authenticate to an account and service. 

“Currently, the most secure types of authentication are those classed as phishing-resistant MFA, which would be device-bound passkeys or less commonly X.509 tokens,” Gartner analyst James Hoover told The Register. “For device-bound FIDO2 keys, there is not currently a proven method of ‘stealing’ them, as the private key itself does not leave the device.”

“With passkeys, we take that shared-secret model and just blow the whole model up, so there’s nothing that can be shared,” FIDO Alliance CEO and executive director Andrew Shikiar told The Register. 

With passkeys, we take that shared-secret model and just blow the whole model up, so there’s nothing that can be shared

Then there are multi-device passkeys – synced credentials that allow users to log into apps on any of their devices and stored in a credential manager like Google Password Manager, iCloud Keychain, or open source Bitwarden. But these are open to social engineering attacks.

“This solves the inconvenience of having to re-enroll each device, but it does potentially open you up to a level of social engineering, because I can get access to that key by convincing you to let my device onto your account,” Hoover said. 

He’s talking about Scattered-Spider style social engineering attacks – not phishing – in which attackers typically gather information about an emlpoyee from social media and other public sources, then impersonate them in a call to a company’s IT desk, ultimately convincing the help desk to reset credentials or MFA devices.

“But they still represent a significant step up from more commonly used password plus SMS or email OTP methods,” Hoover added.

Passkey adoption is taking off fast

The FIDO – Fast Identity Online – Alliance formed in 2012 to address the lack of interoperability among strong authentication technologies and solve the user problem of remembering too many usernames and passwords across websites and services. Early FIDO Alliance members including Apple, Google, Microsoft started developing the FIDO2 and WebAuthn standards for passwordless authentication in 2019, and the public got its first look at passkeys in September 2022 when Apple began supporting them in its iPhone, iPad, and Mac computer operating systems.

Three years later, “we estimate there’s over 2 billion passkeys being used,” Shikiar said.

“That’s great – it’s a meaningful number – and we’d like to see that grow to 5 to 10 billion, which will really cross the threshold of no turning back,” he added. “But 2 billion, for technology that’s been widely available for around three years, we feel pretty good about that progress.”

Liminal, an advisory firm focused on digital identiy, conducted a survey 200 IT professionals who have either deployed passkeys already or pledged to do so. It found 63 percent of respondents ranked passkeys as their top authentication investment priority for 2026. Of those who have already adopted passkeys, 85 percent reported strong satisfaction with their decision and the business results seen thus far.

To dig into the business benefits of passkeys, both firms conducted a confidential survey [PDF] of nine member organizations – Amazon, Google, LY Corporation, Mercari, Microsoft, NTT DOCOMO, PayPal, Target, and TikTok – that have deployed them for between one and three years.

These companies reported a 30 percent higher sign-in success rate compared to other MFA methods, and said passkeys reduce sign-in time by 73 percent, taking an average of 8.5 seconds per login.

Other authentication methods including email verification, SMS codes, and social login options (sign in with Apple, Google, etc.), took an average of 31.2 seconds.

“If you’re in the business of selling things or content, easier, faster access is going to lead to increased revenues,” Shikiar said, noting that the ease of passkeys helps consumer-facing business eliminate shopping cart abandonment due to people getting frustrated with the time it takes to check out.

“But also, early adopters are finding decreased costs,” he said.

Passkeys reduce help-desk calls, according to early adopters that reported up to 81 percent fewer sign-in related help-desk incidents. While they didn’t put a dollar figure on it, companies using passkeys say they also expect cost-savings as this form of authentication reduces costs tied to OTPs, resets, and support interactions.

Plus, passkeys eliminate costs linked to SMS and OTP fraud, according to Shikiar. “Once accounts can’t be taken over by remote attacks, your attacks go down and your fraud costs go down.”

Usability issues linger

So why isn’t everyone using passkeys? There remain some usability issues, especially with passkeys tied to one operating system’s devices (like iOS, Android, or Windows), which usually rqeuire third-party tools to transfer to a different OS ecosystem.

“And then there’s always a trade off between security and ease of adoption,” PwC’s Avinash Rajeev, who leads the consulting firm’s US cyber, data and tech risk business, told The Register.

“For internal use cases, like employees and contractors, security is usually the most important, and you can get away with not having the best user experience for your internal population,” he said. “But when you look at the external side for customers, then you have to prioritize user experience, and sometimes that’s at the cost of security. It always comes down to finding the right balance.”

While SMS or email passcodes aren’t as secure as passkeys, many customer-facing websites still use them because they’re easier to implement and understand. The customer already has an email address, and if they don’t mind waiting a few more seconds to receive a security token, it’s an easy process. Plus, it’s still more secure than just using a password.

“It’s always a combination of both those factors,” Rajeev said. “You have to always look at the what you’re trying to protect, and what you’re willing to accept in terms of level of security, while making sure that the user experience is still acceptable enough for your user population.” ®