Passkeys vs. 2FA: Why Passkeys are More Secure than Regular 2FA

1. Introduction

MFA is often used to make authentication more secure by adding additional factors to the traditional username and password. However, MFA workflows are inconvenient for users and not as secure as one might expect. Our mission is to make the Internet a safer place, and fortunately, the new login standard - passkeys - provides a superior solution to achieve that.

Today, we want to explain to you the differences between regular 2FA and passkeys to create a better understanding of the different authentication methods.

2. What is MFA/2FA?

When you sign in to an online account, you're proving to the service that you are who you pretend to be, which is also referred to as authentication. Traditionally, that has been done with a username and a password. As already explained in previous articles, that's not a very good way to do authentication. The first piece of information, the username, is typically easy to discover, as its often just the user's email address. The second and supposedly secret piece of information, the password, is more challenging to obtain. Yet, with modern technology, even complex passwords can easily be cracked within seconds. Compounding the issue is the fact that users often select weak passwords, which they use for several accounts repeatedly, making it possible for hackers to breach multiple systems with one set of credentials.

That's why many online services - banks, social media, e-commerce - have added an additional layer to make user accounts more secure. You may hear it called "Two-factor Authentication (2FA)" or "Multifactor Authentication (MFA)". If 2FA or MFA is enabled, you need more than just the username and password. You need a second factor to prove who you are.

3. Types of MFA

A factor in authentication is a way of confirming the legitimate access when you try to sign in. The three most common kinds of factors are:

• Knowledge-based something you know.
• Possession-based something you have.
• Inherence-based something you are.

Knowledge-based factors are something that you know a piece of information such as a password, a PIN or answers to personal security questions.

Possession-based factors include hardware and software security tokens (e.g., a digital certificate or a badge with an embedded chip) as well as a range of mobile-friendly solutions:

• Email magic links , which let users instantly log in via a link sent to a pre-registered email address.
• SMS one-time passcodes (OTPs) , which ask users to enter a unique sequence sent via SMS.
• Time-based one-time passcodes (TOTPs) , which ask users to confirm control of their device within a certain time frame via a passcode generated by a smartphone app like Google Authenticator.
• Push authentication , which sends notifications to an app on users' devices, asking them to approve or reject a login attempt.

Inherence-based factors rely on biological traits unique to the user and can include biometric authentication methods like fingerprinting, iris scans, and face and voice recognition technology.

Passkeys are one example of a 2FA solution because a passkey is associated with a unique device (first factor: possession-based) and additionally requires biometric authentication (second factor: inherence-based).

4. How MFA works

Let's say you're going to log into your Paypal or Microsoft account, and you enter your username and password. If that was all you need to do, then anybody who knows your username and password can sign in to your account from anywhere in the world!

But if you have 2FA enabled, things get more interesting. To log in, you first enter your username and password as usual, then you get prompted to provide your second factor to verify your identity. Depending on the website or app, you have different options to use as your second factor. For instance, if you log in to the Paypal website, you can use SMS OTPs or the PayPal native app as a second factor to confirm your identity.

5. Why MFA is still not optimal

Even though MFA makes it considerably more difficult for hackers to breach a system than single-factor authentication, it is still far from ideal:

1. First, MFA creates additional friction for the user during the login ceremony because the website or app must be left and another application must be opened to confirm the user's identity.

2. Second, most websites still rely on passwords as one factor, which can be easily compromised or stolen.

3. Lastly, possession-based factors can often be stolen or are lost, e.g. physical devices such as an access card. The recovery of such possession factors, for instance, authenticator apps or security tokens is usually a burdensome process. If you lose or break your smartphone with an authenticator app installed, all 2FA connections must be reset and newly configured. This often requires interacting with service hotlines, which can cost you a substantial amount of time depending on the number of linked services. As a consequence of the high friction and burdensome recovery processes, the activation rate of MFA among users is only 28%.

6. Passkeys as the Solution

Fortunately, passkeys provide a solution to the previously described problems with MFA. First, as already explained, passkeys are a 2FA method and do not require to open another app or pull out an additional device. Also, passkeys are relying on public-key cryptography, where the private key never leaves the respective device. Taken together, passkeys are the most secure authentication method today.

Furthermore, passkeys are convenient as biometric login is the fastest login method and most users are already familiar with the underlying technologies such as Face ID, Touch ID or Windows Hello. This will boost adoption of 2FA among users.

Also, usage across different devices is much more convenient than with traditional 2FA:

1. First, passkeys are synced within the large ecosystems, for instance in the Apple iCloud Keychain or Google Password Manager. So, users can directly log in from any device associated with an iCloud account without additional device registration. Microsoft already announced to implement cross-device synchronization in a similar way.
2. Second, 2FA recovery is a pain of the past because within an ecosystem like Apple's, no recovery is required due to passkey synchronization. For cross-platform usage, recovery is also no problem because new passkeys can be generated with a few clicks by the users themselves.
3. Finally, passkeys have the potential to eliminate passwords completely. Users are annoyed of having to remember dozens of passwords and passkeys provide a solution that is superior in terms of both convenience and security.

Passkey implementation of PayPal

Passkey implementation of eBay

Now, it's the time to get started. Digital first movers like PayPal, eBay and others already implemented passkeys. When will you?

Explore Corbados passkey-first solution. Sign up for a free account to get started.