1. Introduction

Today, cyber security is one of the most important areas for any digital company. Multi-Factor Authentication (MFA) stands as a wall against many threats in the modern world. Traditionally, MFA has been synonymous with the use of additional steps during authentication typically

• something you know (like a password) combined with
• something you have (such as a mobile device) or
• something you are (like a fingerprint).

While effective, these methods often introduce friction in the user experience, prompting the need for a more seamless approach.

In 2022 passkeys entered the stage and were introduced as the new login standard being backed by Apple, Google and Microsoft. This new groundbreaking innovation is poised to redefine the landscape of MFA. Passkeys, a cornerstone of passwordless continuous authentication, offer a more secure and user-friendly alternative tfo traditional passwords. By leveraging cryptographic keys, they ensure a higher level of security, virtually eliminating the risks associated with weak or stolen passwords. Moreover, passkeys offer out-of-the-box MFA.

This blog post is dedicated to explain the potential of an advanced form of MFA which is often referred to as

• Invisible Multi-Factor Authentication (IMFA) or
• Silent Multi-Factor Authentication (SMFA) or
• Always-on Multi-Factor Authentication

This approach ensures continuous, convenient verification of a user's identity, enhancing security without sacrificing the user experience like it is done with traditional MFA methods.

In particular, well analyze how passkeys enable a frictionless yet secure MFA process, marking a significant leap towards an era of silent, continuous MFA.

2. Understanding Passkeys: A Brief Overview

Passkeys represent a significant shift in the paradigm of user authentication, marking a departure from the traditional, often cumbersome, password-based systems. At their core, passkeys are a form of passwordless authentication, relying on cryptographic keys rather than alphanumeric strings that are easily forgotten, guessed, or compromised (especially since you should use a different password for each website / app that you register for, the human brain cannot simply remember them and password managers are only a cure to the symptom read also our blog post why even the most complex password is not secure anymore).

Unlike traditional passwords, which are static and vulnerable to various forms of attack (like phishing, credential stuffing, theft or brute-force attacks), passkeys operate on a more secure framework. A passkey is essentially a pair of cryptographic keys: a private key that remains securely stored on the user's device, and a public key that is shared with the service or application being accessed (the relying party). This system ensures that the actual authentication process happens locally on the device, significantly reducing the risk of remote attacks. Due to the fact that the private key cannot be exported via API, it cannot be stolen from a device.

The true beauty of passkeys lies in their dual nature, embodying a form of two-factor authentication (2FA) while maintaining the best login experience. The 2FA process behind passkeys involves two critical elements:

1. Something You Have (the Private Key on the Device): The first factor is the device (authenticator), such as a smartphone or laptop, that holds the private key. The private key remains securely stored on the device (e.g. in a secure enclave or TPM) and thus maintaining a high level of security.
2. Something You Are (Face or Fingerprint): The second factors involves biometric authentication, such as a fingerprint or facial recognition, to authenticate the usage of the passkey. This layer ensures that only the rightful owner of the device can use the passkey.

3. What's Wrong with Traditional MFA?

Multi-Factor Authentication (MFA) has long been recognized as a critical component of cybersecurity. Traditionally, MFA methods such as One-Time Passcodes (OTPs) or Time-Based One-Time Passcodes (TOTP) sent via SMS or email, hardware tokens and authenticator apps have added an extra layer of security to user accounts. However, these methods come with significant limitations. The inconvenience of entering additional codes, taking care of hardware or responding to prompts often leads to user resistance, with many opting for MFA only when mandated. The reluctance to adopt MFA is partly due to its perceived inconvenience for users and cost implications for companies. In simple terms:

Lets dig a bit deeper to really understand the frustration and hate against traditional MFA.

3.1 Users Hate MFA (MFA Fatigue)

Users simply hate MFA and their resistance is not unfounded. For instance, as of December 2022, only 28% of Microsoft users utilized MFA, despite 99.9% of compromised Microsoft accounts lacking MFA protection. This phenomenon of users neglecting MFA is often also referred to as MFA fatigue. But where does this hate actually come from. This will be answered in the following.

3.1.1 MFA Setup and Compatibility is a Pain

Setting up MFA can be a daunting task for many users, especially when they encounter compatibility issues with modern devices or if QR code scans are not working as expected. From my personal experience, I use Google Authenticator to store my personal TOTPs, 1Password to store some other TOTPs that I want to share with my team and also Authy for synced TOTPs (and as Sendgrid only allows Authy). This heterogeneity is mainly due to limitations by the services where I want to set up MFA and they do not always support all authenticators (Google authenticator is probably the one with biggest adoption though).

Moreover, MFA setup depends a lot on how much love and user education is put into the description of the required steps and error messaging. This initial hurdle often leads to users frustration and reluctance to use MFA.

3.1.2 Users Don't Understand MFA Benefits

The absence of adequate user training and risk communication contributes to widespread misunderstandings about MFA. Users often express confusion over how MFA systems work and the additional security benefits they provide. Very often a strong, unique and complex password is perceived to be good enough. However, even under these circumstances, attacks like phishing cannot be prevented. To dig deeper into this topic, we recommend to read our blog post on why also your most complex password will be cracked soon.

3.1.3 Users Only Use MFA If Forced

Users commonly report feeling obligated to use MFA by their employers, educational institutions or apps they want to use. This enforced usage, coupled with a lack of understanding of its benefits, breeds resentment and a reluctance to comply. The general sentiment is that MFA is a burden rather than a benefit, especially when it necessitates using a secondary device for urgent access. MFA is no fun. Users would never opt-in voluntarily or do you know of anyone who likes to use a second device just to get quickly access to an app in urgent need?

Source: https://gitnux.org/[two-factor-authentication](/blog/2sv-vs-2fa)-statistics/

3.1.4 Incompatibility with Password Managers

Many users find that MFA solutions do not integrate well with password managers, leading to inconvenience and frustration. Of course, there are some password managers that can be used as (T)OTP authenticators but still it depends a lot on the employed MFA by the website or app (see 3.1.1). For instance, some users must download specific apps just to log into their accounts, which they find counterintuitive and inefficient. Moreover, I can use certain authenticator like Google Authenticator on one site, where other authenticators like Authy or 1Passwords built-in authenticator do not work. This is very confusing to users.

3.1.5 Overload of TOTPs

Just think of how many TOTPs you have added to your authenticator app. In a modern world, where you are using several digital services be it for work or private reasons youll automatically end up in having 20+ different TOTP codes in one authenticator app. The challenge of managing an excessive number of TOTP codes in authenticator apps is a significant source of frustration. Users struggle to navigate through numerous codes, some used frequently and others rarely. While better apps with advanced features exist, their complexity can be overwhelming and paradoxically undermine their utility.

3.1.6 App Switching in MFA is Frustrating

The typical process of logging into a service using MFA on a mobile device is far from seamless. Users often have to:

• Navigate away from the service app to the home screen.
• Open the authenticator app to retrieve the MFA code.
• Waiting for the MFA OTP to arrive.
• Memorize or copy the code.
• Switch back to the original service app to enter the code.

While each step might seem minor, the frequency of this process amplifies its inconvenience. The need to repeat these steps multiple times a day, especially when users are logged out after short periods of inactivity, turns MFA into a time-consuming task. In general, the process lacks integration and fluidity, feeling more like a series of disjointed steps rather than a cohesive security measure. The act of switching between apps does not in itself enhance security, especially when the phone remains unlocked throughout the process.

The absence of integration between service and authenticator apps shows the inconvenience. The user experience could be vastly improved with more sophisticated integration, such as automatic code retrieval or streamlined app transitions (the only real innovative UX feature is probably Apples automatic SMS OTP filling). Without these improvements, the current process is perceived as an unnecessary and time-consuming chore, detracting from the UX and impacting the adoption of MFA.

3.1.7 MFA is Slow

In an age where time is precious, the speed (or lack thereof) of MFA can be a pain for users.

One of the most common frustrations with MFA is the delay in receiving (T)OTPs, especially when sent via SMS or email. Users often experience long waits, sometimes several minutes, to receive these crucial codes. This delay is not just inconvenient; it's often seen as unacceptable in today's fast- paced digital environment.

The delay in accessing accounts due to MFA can have a tangible impact on productivity. For instance, accessing a bank account using email as a factor might take up to 72 seconds, and using SMS might slightly reduce this to around 67 seconds. Even methods perceived as faster, like push-based mobile apps, can take almost a minute.

This waiting period, though seemingly brief, can disrupt a user's workflow significantly. It forces a shift in focus, pulling users away from their immediate tasks and requiring them to wait idly for access to their accounts.

The delivery of MFA tokens is often inconsistent and can be influenced by various external factors. For example, if a user requests an OTP via SMS, the delivery might be delayed due to being out of range of a cell tower, on a flight, or due to carrier-related issues. Such variability introduces an element of unpredictability and frustration, especially for users who need timely access to applications for urgent tasks.

3.1.8 Manual and Cumbersome MFA Reset Process

Dealing with MFA reset is particularly challenging when a secondary device used for authentication is lost or stolen. The recovery process usually involves handling special codes or backup mechanisms, which add another layer of complexity to the user's digital security management. In many cases, you even have to call the support team to regain access to your MFA-protected account. Zapier even sent out this email proactively to their customers as MFA recovery is causing a huge headache to companies:

3.1.9 MFA Backup is a Pain

The issue of secure backups for MFA is a significant concern. Many users are worried about their ability to securely migrate MFA credentials to new devices. Unfortunately, user-friendly backup solutions are scarce, contributing to the overall reluctance to fully engage with MFA.

Applications such as Google Authenticator, for example, avoid storing MFA code seeds in the cloud by design, treating device ownership as a factor. This approach means users must re-enroll in MFA every time they reinstall the application or change their device, creating inconvenience and potential for loss of access.

Some applications that do offer backup options require users to routinely confirm their backup passwords, a measure intended to address memorization concerns but often leads to user confusion and annoyance.

In the context of disaster recovery, the lack of robust backup and migration capabilities in most applications is alarming. Users are left to devise their own strategies for preserving access in case of device loss or failure, such as printing out recovery codes. However, these methods carry their own risks, such as being compromised in a home fire or other disasters.

The expectation that MFA can be seamlessly integrated and managed without complications is often belied by the reality of complex backup processes and the challenges of securely transferring credentials to new devices.

3.2 Traditional MFA is not Always Secure

Besides the users reluctance to use MFA, there are also some valid concerns about MFAs security depending on individual implementations:

3.2.1 2FA via SMS is Insecure

SMS technology, which debuted in 1992, was not designed with modern security needs in mind. It utilized spare capacity in GSM networks for sending brief messages, a far cry from a secure communication channel envisioned for today's cybersecurity requirements. Despite improvements over the years, the foundational security of SMS has not evolved sufficiently to meet the challenges posed by sophisticated cyber threats.

One of the most glaring weaknesses of SMS-based 2FA is its susceptibility to SIM swap attacks. This form of attack involves a malicious actor tricking a mobile provider into transferring a victim's phone number to a SIM card under the attacker's control. Once achieved, the attacker can intercept SMS messages intended for the victim, including those containing 2FA codes. If the first factor (mostly the password) is also compromised, then its often game over for the user. The persistence of these attacks highlights a critical shortfall in SMS-based 2FA, questioning its viability as a secure authentication method.

Beyond physical theft, SMS-based 2FA is vulnerable to number hijacking. Sophisticated cybercriminals can exploit weaknesses in mobile network security to gain control of a user's phone number. This vulnerability makes SMS an unreliable factor in the 2FA process, as it can potentially allow attackers to bypass MFA protections and access sensitive information or accounts.

3.2.2 Email-Based 2FA: A Security Relic?

Email was introduced in a time when digital communication was in its infancy, used by a small, trusted community. Its original design did not account for the complexities and security challenges of the internet as we know it today. Despite various improvements over the decades, the core security model of email has not kept pace with the evolving cyber threat landscape.

The use of email for 2FA is compromised by several vulnerabilities:

• Interception Risks: Unencrypted emails are susceptible to interception during transit. This vulnerability can expose 2FA codes to unauthorized parties, undermining the security of the authentication process.
• Email Account Compromise: If a user's email account is compromised, attackers gain access to 2FA codes sent via email, effectively bypassing this layer of security.

Despite these risks, many organizations continue to use email for 2FA, often for its convenience and user familiarity, overlooking its security limitations.

3.2.3 MFA Bombing / Flooding Attacks are a Security Problem

The increasing prevalence of MFA bombing or flooding attacks is a growing concern. In these attacks, users are overwhelmed with authentication requests. The aim is to wear down the user until they mistakenly approve a fraudulent request. This could involve numerous or highly targeted prompts to authenticate an MFA request, such as clicking on a link, responding to a push notification, or entering a Time-based One-Time Password (TOTP).

Often, these attacks begin after the attackers have already compromised the first authentication factor, usually the password. This initial breach sets the stage for attackers to potentially gain full access to a user account. As a preventive measure, native app authenticators have introduced features like entering a number or selecting from multiple options to encourage users to think critically before responding to MFA prompts.

High-profile data breaches, such as those at Okta recently and attempted breaches at Cloudflare, underscore the severity of this issue. These incidents demonstrate the sophistication and persistence of attackers in exploiting the MFA process.

Beyond security concerns, MFA bombing attacks can be exceedingly annoying and disruptive for users. Repeated, unwarranted authentication requests not only impair the user experience but can also tarnish the reputation of digital companies. Poorly implemented MFA strategies that lead to such scenarios reflect negatively on the company, potentially damaging trust and credibility.

3.3 MFA is Expensive

In general, employing MFA comes with many direct and indirect costs for organizations.

3.3.1 2FA SMS OTPs Can Let Your Costs Explode

SMS-based OTPs are one of the most popular choice for MFA, but they come with substantial cost implications that are often overlooked. They are favored for their convenience, particularly due to features like autofill on mobile devices and native app integration, which negate the need for additional authentication apps. This convenience is a significant factor in why users often default to SMS OTPs when given a choice.

However, the convenience of SMS OTPs masks the underlying cost issue. The process of resetting MFA, especially when users forget to update their MFA- linked number after changing phone contracts, can lead to a high volume of manual processing for MFA resets. This process is not only complex but also costly.

The cost of sending transactional SMS varies significantly by region. For example, according to AWSs Simple Notification Service (SNS), the cost of an SMS in Australia is approximately $0.04, while in Germany, it is around $0.09. Comparable prices are observed with other major providers like Twilio. Even in countries like the United States, where the costs are lower (around $0.005 per SMS), the total expense can accumulate quickly, especially for organizations dealing with large volumes of messages.

Moreover, the issue of SMS pumping exists. Here, attackers request for a phone number a large volume of SMS OTPs. Often the attackers have agreements with Telcom operators in some countries and get a share of the revenue for the invoked SMSs. If not protected properly with rate limiting or restricting SMS send outs to phone numbers of certain countries, this can cause enormous costs for websites and apps.

See also this blog post about improving SMS OTP costs with passkeys.

3.3.2 MFA Auth Providers Charge Huge Premium Fees For MFA

Furthermore, many authentication providers, like Auth0, FusionAuth, etc. charge heavy premium prices for MFA features and often exclude MFA from basic packages. We gathered a list of some indicative pricing for adding MFA to your product for selected authentication providers:

Amazon Cognito:

• TOTPs via authenticator apps is free for the first 50k monthly active users, then it starts with 0.0055$ per monthly active users
• SMS OTP: the regular SMS costs are charged

Auth0:

• B2C authentication: starting at 240$/month for 500 monthly active users
• B2B authentication: starting at 150$/month for 500 monthly active users

Clerk:

Starting at 125$/month for 10k monthly active users

Firebase Auth:

• TOTPs via authenticator apps is free for the first 50k monthly active users, then it starts with 0.0055$ per monthly active users
• SMS OTP: only 10 SMS/day are free, afterwards the regular SMS costs are charged

FusionAuth:

Starting at 850$/month for the first 10k users (with basic hosting)

SuperTokens:

0.02$ per monthly active users (the first 5k MAUs are free) + 0.01$ per monthly active users on top for MFA (with a minimum of 100$/month for MFA)

4. Why is MFA Still Needed?

Despite the above mentioned challenges around UX, security and costs, experts unanimously agree on the importance of MFA in mitigating password-based attacks. More often regulations in certain industries and countries require the usage of MFA.

4.1 Increased Public Awareness and Incident Response

The mainstream media frequently covers data breaches, compromised services, and privacy concerns, reflecting a growing public interest in cybersecurity. This shift has prompted the industry to strengthen web security postures. As a result, complex passwords and Multi-Factor Authentication (MFA) have become standard requirements on many websites.

From the standpoint of the security industry, MFA simplifies their task of protecting user accounts. In scenarios where MFA is used, the likelihood of a breach succeeding, even with stolen credentials, is significantly reduced. This is because an attacker would also need to compromise an additional authentication factor to gain access.

Given the high incidence of data breaches resulting from stolen credentials, MFA serves as an effective, broad-spectrum solution. By mandating MFA, organizations can substantially mitigate the risk posed by compromised credentials.

4.2 MFA is a Protective Tool Against Account Takeovers (ATO)

MFA has emerged as one of the most effective defenses against account compromise. Its growing ubiquity is a direct response to the increasing focus on cybersecurity. By requiring an additional layer of verification, MFA significantly reduces the risk of unauthorized account access.

4.3 MFA is Cheaper Than Data Breaches

The financial implications of data breaches are substantial. A report by IBM in 2018 indicated that the average data breach could cost a company $3.86 million. Consequently, companies are incentivized to enhance account security to avoid these substantial losses. Implementing MFA is a relatively simple yet effective strategy for achieving this goal.

Source: https://gitnux.org/[two-factor-authentication](/blog/2sv-vs-2fa)-statistics/

5. From Visible to Invisible MFA

The aforementioned disadvantages of todays MFA, the visible MFA, sets the stage for the emergence of invisible or silent MFA. Invisible MFA employs various factors such as device recognition, geolocation data and behavioral biometrics to authenticate users seamlessly. This method is designed to be unobtrusive, maintaining the same security level as traditional MFA without requiring any additional user actions. The user authenticates naturally, using inherent factors like facial recognition, location, or device, making the process invisible. The factors are then used in a risk-engine which is often powered by AI risk analyzers to provide real-time risk scores.

5.1 Better UX, Higher Adoption & Less Costs of Invisible MFA

The advantages of invisible MFA are profound. By enhancing the UX and reducing friction, it promises higher voluntary adoption rates by users and often less costs compared to traditional MFA. Users are more likely to embrace a security measure that doesn't disrupt their workflow or require additional effort. This aspect is especially crucial in scenarios where MFA is mandatory, as it can significantly improve conversion rates and process completion rates: Data has shown that adopting invisible MFA can lead to adoption rates of over 90%, a stark contrast to the 28% observed among average Microsoft users.

5.2 Invisible MFA is More Secure

Invisible MFA also addresses the issue of MFA fatigue and MFA bombing / flooding attacks. By minimizing unnecessary prompts and utilizing risk engines powered by AI analyzers, invisible MFA provides a more secure and user- friendly authentication process. Additionally, the integration of device trust factors further bolsters security.

These advantages of invisible MFA make it evident, that there will be a shift from traditional MFA to invisible MFA. The seamless user experience that encourages wider adoption and better security. Besides that, invisible MFA also aligns with the modern user's expectations for a frictionless digital experience. You can some up the most important differences between invisible and traditional MFA as follows:

Invisible MFA

• Provides user context throughout the digital journey
• Adds friction (i.e. prompts) only when risk appears
• Leverages advanced MFA methods like behavior and passwordless

Traditional MFA

• Provides only point-in-time context, no control before authentication or post authorization
• Adds an MFA prompt every time at authentication
• Uses methods that are easy to hack / bomb (push to text / push to email)

6. How Does Invisible MFA Work?

After taking a look at the benefits of invisible MFA, lets examine how invisible MFA works under the surface. There are three major authentication techniques that count into invisible MFA: device-based authentication, location-based authentication and biometric authentication.

6.1 Device-Based Authentication

Device-based authentication capitalizes on the uniqueness of a user's device, such as a smartphone or computer, as an authentication factor. By linking the device to the user's account, authentication can be seamlessly integrated without the need for additional input from the user. The invisible MFA should be smart enough to counter various device-dependent factors into its evaluation if the access is legitimate.

Some of the device-based factors include: cookies, operating system, browser, screen-size, language, installed fonts, etc.

6.1.1 Pros of Device-Based Authentication:

• Hard to Fake: It's challenging for online attackers to replicate or obtain a user's registered device, thus bolstering the security against unauthorized account access.
• No User Interaction Required: This method simplifies the login process, as it does not require the user to remember or input authentication details.

6.1.2 Cons of Device-Based Authentication:

• Device Security Dependence: The security of device-based authentication is only as strong as the security of the device itself. If the device is compromised through malware or physical theft, it could potentially be exploited to bypass the MFA system.
• New Devices Require MFA Setup: If the users is accessing a service from a new device, then they need to enroll this new device before using it in an invisible MFA process.

6.2 Location-Based Authentication

Location-based authentication utilizes the geographic location of a user's device as a factor. Access is granted if the device is located in a pre- verified, trusted location, such as a home or office.

The way this works is often based on IP addresses which can be translated into geo-locations. By using the IP address and, if its a native device, the GPS location, its easy to determine if the authentication happens from a rather uncommon location.

6.2.1 Pros of Location-Based Authentication:

• Only Known Locations: By validating the user's location, it can effectively prevent access from unrecognized or untrusted locations.
• No User Interaction Required: This method provides an additional context for authentication, enhancing the security framework.

6.2.2 Cons of Location-Based Authentication:

• Location Spoofing Vulnerability: If an attacker can manipulate location data (through GPS spoofing, for example), they could potentially gain unauthorized access.
• Limited Flexibility: Users may face challenges accessing their accounts from new or unregistered locations (e.g. on vacation or business trips).

6.3 Biometric Authentication

Biometric authentication leverages unique biological characteristics of the user, such as fingerprints, facial recognition, or voice patterns, for authentication.

6.3.1 Pros of Biometric Authentication:

• Highest Security Level: Biometric characteristics are extremely difficult to replicate or forge, offering a high level of security.
• User-Unique: Users inherently carry their authentication means, eliminating the possibility of forgetting or losing it.

6.3.2 Cons of Biometric Authentication:

• Highest Security Level: Biometric characteristics are extremely difficult to replicate or forge, offering a high level of security.
• User-Unique: Users inherently carry their authentication means, eliminating the possibility of forgetting or losing it.

While no MFA technique is entirely foolproof, and different methods have their respective strengths and weaknesses, the invisible MFA stands out for its heightened security and improved UX. Invisible MFA integrates various elements, e.g. device recognition and biometric authentication, and can thereby address many of the limitations of legacy MFA methods.

7. Passkeys As Invisible MFA

Passkeys, the vanguard of invisible MFA, are transforming user authentication with their unparalleled security and user-friendliness. Unlike traditional authentication methods, passkeys offer a phishing-resistant authentication system that users find intuitive and familiar, similar to unlocking their personal devices.

7.1 Why Passkeys Stand Out as Invisible MFA:

• Seamless User Experience: Passkeys simplify the authentication process. A user authenticates by simply using their device, often with biometric verification like a fingerprint or facial scan, which they are already accustomed to.
• Advanced Security Features: They utilize cryptographic keys, making them virtually immune to phishing and other common cyber threats. This method significantly elevates security compared to password-based or less sophisticated MFA methods.
• Broad Industry Support: With the backing of major tech players like Apple, Google, and Microsoft, passkeys are become the standard in digital authentication. This wide industry support ensures compatibility and ease of integration across various platforms and ecosystems.

7.2 How Does Invisible MFA via Passkeys Look in Practice?

• Speed Up Checkouts in E-Commerce: Imagine a scenario where a customer is completing an online purchase. Instead of entering a password or responding to an OTP, the customer simply authenticates the transaction with Face ID on their iPhone. This process not only adds a layer of security but also streamlines the checkout process, enhancing the overall user experience.
• Quick & Secure Access For Remote Workers: In times where remote work is common, employees often need to access company resources from various locations. With passkeys, they can securely log in to their work systems without the hassle of traditional VPN tokens or SMS OTPs. Their device (maybe even a company-managed device, see the enterprise passkey offering analysis ), combined with a biometric check, provides a secure yet effortless gateway to access.
• Enjoy Logins in Online Platforms: Users typically manage multiple accounts across various social media and online platforms. Passkeys eliminate the need to remember multiple passwords or go through cumbersome MFA procedures, offering a single, secure method to access all their accounts.

8. How Will Passkeys for Invisible MFA Evolve?

As the adoption of passkeys grows, they are expected to become the first widely accepted form of invisible MFA. This shift will likely lead to a significant increase in the overall use of MFA, as the ease of use and enhanced security offered by passkeys align perfectly with the needs of the modern digital user.

9. Recovery of Invisible MFA

One of the things we havent touched at invisible MFA yet is the Achilles heel: the recovery process. Coming up with a smart yet user-friendly recovery strategy is important to get things for passkeys as invisible MFA off the ground. Depending on the individual implementation, some strategies could involve the following aspects:

9.1 Decentralized Recovery Mechanisms

Leverage blockchain technology to create a decentralized recovery process. By storing recovery tokens or credentials on a blockchain, users can regain access to their accounts securely and transparently, minimizing the risk of central data breaches.

9.2 AI-Powered Identity Verification

Utilize AI algorithms for dynamic identity verification based on user behavior and usage patterns. In the event of account lockout, the system can verify the user's identity by analyzing past behavior patterns, providing a seamless recovery process.

9.3 Emergency Contact Authentication

Introduce an 'emergency contact' feature, where a trusted contact can help authenticate the users identity. This method would involve predefined protocols to ensure that the process is secure and reliable.

9.4 Multi-Channel Verification Process

Combine different communication channels (like email, SMS, and voice call) for a multi-tier recovery process. Users can choose the most convenient channel at the time of recovery, enhancing flexibility and accessibility.

10. Conclusion

All in all, this exploration into invisible MFA and the role of passkeys offers a glimpse into the future of digital security. Its evident that we need a new, invisible form of MFA. Users are frustrated with current offerings, they are costly and often lack the security features they actually promise. Using passkey-based system as an invisible MFA method seems like a great strategy to solve the mentioned issues. For those looking to delve deeper, stay up-to-date in the passkeys world or implement these solutions, feel free to subscribe to our passkeys Substack or join our passkeys community on Slack.