Are passkeys considered a form of two-factor authentication?

Passkeys provide strong authentication but do not fit the traditional definition of two-factor authentication (2FA). Instead, they belong to a more advanced category of authentication methods that eliminate the weaknesses of traditional password-based 2FA solutions.

Traditional 2FA requires authentication from two distinct categories:

1. Something you know – A password or PIN.
2. Something you have – A smartphone, hardware token, or SMS OTP.

For example, logging into a bank account with a password (knowledge) and confirming it via an SMS OTP (possession) qualifies as 2FA. However, this method is vulnerable to phishing, SIM swapping, and social engineering attacks.

Passkeys do not rely on passwords and work as a single authentication factor using public-key cryptography. Here’s how they compare to traditional 2FA:

• Passkeys meet the security goals of 2FA but without requiring two separate steps. Instead of requiring a password + OTP, they bind the authentication to the user’s device and biometrics, such as fingerprint or Face ID.
• Since passkeys rely on device possession (hardware-bound keys) and biometrics (inherence), they fulfill multi-factor authentication (MFA) requirements within a single step.

Yes. Under Strong Customer Authentication (SCA) in PSD2, authentication must include:

• Something the user has (a registered device with a private key).
• Something the user is (biometric authentication).

Passkeys fulfill these requirements in a seamless, phishing-resistant way, making them an ideal alternative to traditional 2FA for banks and fintech companies.

Passkeys go beyond traditional two-factor authentication by:

• Eliminating passwords and shared secrets.
• Providing phishing-resistant authentication.
• Meeting PSD2 SCA security requirements in a more user-friendly way.

While passkeys are not 2FA in the traditional sense, they achieve the same (or better) security benefits in a way that is more secure and user-friendly.