Passkeys Explained: How Passkeys Impact 2FA and MFA
We’re back with another post in our series on passkeys! Before you read on, catch up on our last two posts to learn what passkeys are and how to manage them.
Since passkeys have grown in popularity and more people are starting to use them, we’ve been getting more in-depth questions about how they work with previous authentication tech. In this post, we’ll answer those questions and provide more insight into how passkeys impact and interact with multifactor authentication (MFA).
Are passkeys more secure than MFA?
Essentially, yes.
As we’ve previously established, passwords are inherently flawed. They can be stolen from sticky notes and unsecure digital storage, guessed by brute force, and just aren’t very secure on their own.
The need for an extra layer of password security led to the advent of MFA. MFA is a more secure way to sign in to an online account than using a username and password alone. It requires a person to provide at least two pieces of identity proof, which are called authentication factors.
The most common authentication factors are based on a combination of something a user knows (knowledge), something a user is (biometrics), and something a user physically possesses. Here are a few examples:
- Knowledge: Login credentials, such as an account name and alphanumeric password, PIN, or security question response
- Biometrics: A person's voice, speech patterns, facial scan, or fingerprint
- Physical possession: A key fob, ID card, or physical device that generates a one-time code
2-factor authentication (2FA) is a form of MFA that requires—as the name suggests—two factors of authentication. A common example of 2FA is the two steps that many banks require to log in to online banking accounts: You enter your username and password (factor 1) and then receive a text message to your mobile device with a code that you need to enter for confirmation (factor 2).
So, where do passkeys come into play?
Unfortunately, 2FA isn’t perfect; in some cases, a cybercriminal can still intercept the second factor. Because almost everything needs verification these days, it’s not uncommon for people to suffer from what is known as “push fatigue.” In simple terms, people get sick of things popping up on their phones, and they have a tendency to just swipe away or tap out. But that can be bad news—if your password gets phished and you absentmindedly hit “confirm” on a 2FA pop-up, your account will be compromised.
Passkeys, on the other hand, are virtually unphishable. By design, passkeys are phishing-resistant because they only work on the specific website they were created for. Even if a user visits a phishing site, their passkey won’t be prompted, so nothing can be intercepted, like with a password or MFA code.
Does removing MFA make passwords more vulnerable?
Yes! Don’t get us wrong—2FA is still very much worth setting up on your accounts. While not all services provide options for MFA, many do, and services like Dashlane and Google Authenticator make it easy to generate secure, time-based codes as your second authentication factor. SMS codes are another option, but that option isn’t quite as secure. SMS messages aren’t encrypted, and cases of intercepting SMS authentication codes have been on the rise lately.
Different websites have different trust thresholds. Sites that store your private data might require you to log in with MFA every time, while other sites might allow password logins alone for a set amount of time after the initial MFA verification. Website and app developers know that it’s a delicate balance between proper security and a frustrating login experience, so services are always finding ways to reduce friction in the authentication flow while ensuring that users are who they say they are.
While MFA isn’t infallible—especially when using SMS-based codes—it’s still one more layer of protection between you and a stolen credential. So, if you aren’t using a passkey, make sure you turn on MFA on your accounts wherever possible.
For a community-driven index of websites, apps, and services that offer signing in with passkeys, check out our comprehensive passkey directory.
How will passkeys change the way 2FA and MFA are used?
Short answer: It depends.
As mentioned above, different websites and services require different levels of security for passkey authentication. For example, logging in to a financial app like PayPal requires more security verification than your plant identifier app. Financial sites have a high threshold to ensure that you really are who you say you are; otherwise, there could be fraud and legal implications if the wrong person accesses your account. So, sites like PayPal might still require a second authentication factor, along with your passkey—just to be extra safe. On the other hand, your plant app feels that your passkey is proof enough that it is, indeed, you logging in to check whether that leaf is a weed or a flower.
Will passkeys lead to the elimination of MFA in the near future?
Probably not in the near future, but it’s possible.
When technology evolves, previous versions of that technology become outdated and obsolete. But just like passkeys won’t fully replace passwords anytime soon, the same goes for MFA.
Passkey technology is still new and evolving. Eventually, passkeys will likely become the gold standard for trusted authentication. But due to adoption still ramping up and websites still building passkey login capabilities, that’s not yet the case. Plus, passkeys aren’t totally bulletproof—while passkeys are incredibly secure, some aspects of this technology still need to be fortified.
As a quick reminder, passkeys use your phone or another supported device to prove that you are who you say you are before letting you into your account. As the technology exists now, if a user sets up a passkey on a particular device and then reuses it on that same device, the website or app will recognize that device and know they can trust the user and their passkey. But if a user logs in with that same passkey on a different device, some websites may not trust that the user is who the passkey says they are. Eventually, just having your passkey will be enough to prove your authentication without the need for MFA, but right now, the trust in this new tech is still being earned, so MFA is still a common security standard.
Like passwords, MFA isn’t going anywhere anytime soon. But it’s important to consider the implications of new authentication technology on the old. Eventually, we may live in a world where we can log in everywhere with a single click or tap. But for now, keep using MFA wherever you can. An extra few seconds may seem annoying, but your account security is worth it.
Learn how you can elevate your digital security with passkeys.
Sign up to receive news and updates about Dashlane