Death to one-time text codes: Passkeys are the new standard in MFA
Whether you’re signing into your bank, health insurance, or email, passwords are no longer the whole story. Multifactor authentication (MFA) is now common, requiring a second or even third form of verification. Yet not all MFA methods are equal, and the one-time passwords (OTPs) sent to phones can be dangerous enough to create wide-open vulnerabilities.
Consider a recent set of incidents documented by Abnormal AI, where attackers managed to phish victims into providing not only usernames and passwords but also the OTPs sent by their schools’ servers. In other words, a stolen credential alone isn’t the endgame—the attacker can also hijack the temporary codes that supposedly protect the account. Using stolen credentials is often far more effective for criminals than hunting for a technical flaw to exploit. Microsoft’s Digital Defense Report identifies identity as the leading attack vector in 2024–2025, underscoring the severity of this risk.
MFA remains the main defense against identity-based attacks, but the real goal is phishing-resistant protection. Microsoft’s threat-intelligence team emphasizes that phishing-resistant MFA is the gold standard: it consistently blocks the vast majority of unauthorized access attempts, even as threat actors evolve. In other words, MFA is crucial, but not all MFA methods stop phishing equally well.
The rise of passkeys
Most MFA methods fall into three broad categories: something you know (passwords, codes, security questions), something you have (a token or a smartphone), and something you are (biometrics such as fingerprints or facial recognition). These include hardware tokens, authenticator apps, OTPs delivered via SMS or email, push approvals on a trusted device, and biometric verification.
Historically, authentication relied on the “something you know” model: two parties prove identity by sharing a secret. The problem is that secrets can be guessed, exposed, or written down on sticky notes or stored in plaintext files. Criminals can also phish these secrets via fake websites that prompt users to enter credentials and intercept OTPs sent to SMS or email.
As one security researcher explained, the shift away from passwords toward passkeys represents a fundamental rethinking of authentication: a certificate-based approach wrapped in usability enhancements. Passkeys are the modern form of phishing-resistant MFA. They replace passwords with cryptographic key pairs—the public key is stored on the server, while the private key remains on the user’s device and is safeguarded by biometrics or a device PIN.
A growing ecosystem of support
Many major sites and services have adopted passkeys as a full password replacement, including Amazon, Google, Microsoft, Apple iCloud, PayPal, and WhatsApp. Security keys (often branded as Yubikeys) also fall into this phishing-resistant category, as they require physical presence to complete authentication and rely on strong cryptographic tokens.
Experts note that device-bound passkeys and similar X.509 tokens are among the most secure authentication methods available today because the private key never leaves the device. In the words of a leading thinker in the field, passkeys disrupt the traditional shared-secret model and eliminate the risk of secret leakage.
There’s also the option of multi-device passkeys—synced credentials that let users log into apps on any device via credential managers like Google Password Manager, iCloud Keychain, or Bitwarden. However, these can still be vulnerable to social engineering, where an attacker manipulates a user into granting access or adding a rogue device.
Even so, passkeys represent a substantial improvement over password plus SMS or email OTP methods, and they’re widely regarded as a major advance in authentication security. Experts also cite social-engineering-focused attacks, such as the Scattered-Spider technique, as a reminder that attackers may still find ways to exploit human factors, even with strong technical protections.
Adoption and impact
The FIDO Alliance, formed in 2012 to tackle interoperability issues and drive user-friendly strong authentication, laid the groundwork for passkeys. The collaboration among Apple, Google, and Microsoft helped popularize FIDO2 and WebAuthn standards for passwordless access, with Apple’s 2012–era introduction of passkeys ushering in broader awareness.
Today, estimates place passkeys in use by billions, a sign of rapid adoption over a short period. Industry researchers believe the user base could eventually reach 5 to 10 billion passkeys, a tipping point that would make password-based security increasingly obsolete.
A recent survey of IT professionals who have deployed or committed to passkeys shows strong momentum: about 63% identified passkeys as their top authentication priority for 2026, and among those who have already adopted them, 85% report high satisfaction with results.
Business value and cost considerations
A confidential study involving nine organizations that have deployed passkeys (including Amazon, Google, Microsoft, PayPal, and TikTok) found notable benefits. These companies reported roughly a 30% higher sign-in success rate compared with other MFA methods and a 73% reduction in sign-in time, averaging 8.5 seconds per login. In contrast, other methods—such as email verification, SMS codes, or social logins—took about 31.2 seconds on average.
Beyond convenience, passkeys can drive revenue by reducing cart abandonment and accelerating customer experiences. Early adopters also reported fewer help-desk calls related to sign-ins—even as much as an 81% drop—leading to potential cost savings from fewer OTP resets and lower fraud costs linked to SMS-based attacks.
Usability challenges remain
Despite the momentum, not everyone has embraced passkeys yet. Some friction remains when passkeys are tied to a single operating system, requiring third-party tools or cross-OS transfer for users who switch devices. There’s also a constant balance to strike between strong security and a smooth user experience, particularly for external (customer) access where user-friendliness can matter as much as protection.
SMS and email-based codes remain common because they’re easier to implement and understand, even if they’re not as secure as passkeys. In many cases, offering a choice between security and usability is necessary to meet the needs of a diverse user base. The key is aligning protection level with what’s at stake and ensuring a reasonable user experience for the target population.
Bottom line
Passkeys and other phishing-resistant MFA approaches offer a compelling path toward stronger, more convenient authentication. While not a perfect solution in every scenario, the combination of device-bound cryptographic keys, robust standards, and growing ecosystem support makes passkeys a leading candidate for securing identities in 2025 and beyond. As the digital landscape evolves, embracing phishing-resistant options can significantly reduce unauthorized access and related costs, while still keeping the login experience approachable for everyday users.
