Passkeys in the USA: Passkey Regulation in the US

In 2020, hackers cracked into President Donald Trump’s Twitter account using a shockingly simple password: “maga2020!”. If such a high-profile account could be breached so easily, what does that tell us about the state of cybersecurity in the United States?

In this blog post, we’ll explore:

• Why current authentication methods, including traditional 2FA, fail in many of today’s threats
• What the U.S. government is doing to strengthen cybersecurity, especially around identity management
• How passkeys offer a future-proof, phishing-resistant solution for individuals and businesses

Traditional authentication methods like passwords or even basic two-factor authentication (2FA), are no longer sufficient against modern cyber threats. Phishing, social engineering, and sophisticated nation-state attacks continue to bypass outdated security measures, placing individuals, businesses, and government agencies at significant risk.

The Trump Twitter hack wasn’t an isolated incident. Numerous high-profile breaches highlight the persistent vulnerabilities in securing digital identities. From celebrity social media takeovers to corporate data theft, inadequate passwords and outdated authentication methods remain the leading contributors to security breaches.

The Trump Twitter incident perfectly illustrates how even prominent figures fall victim to guessable passwords like “maga2020!”. Despite countless warnings and best-practice guidelines, users continue to rely on familiar or weak passwords, making brute-force and dictionary attacks easier than ever and you cannot judge them for it.

While traditional 2FA was once considered a gold standard for account protection, it has developed weaknesses:

• User Inconvenience: Added friction, such as receiving push notifications, SMS codes, or app-based prompts, can frustrate users. This leads many to disable or not activate MFA in the first place.
• Exploited Loopholes: Attackers have adapted to MFA’s prevalence. Tactics like “MFA bombing” spam users with repeated push notifications until they accidentally grant access. SMS-based codes are also vulnerable to SIM swapping, enabling attackers to intercept one-time passwords.

Even when 2FA is in place, phishing and social engineering often circumvent these safeguards:

• Phished 2FA Codes: Cybercriminals have developed ways to capture 2FA tokens in real-time, effectively neutralising an additional security layer.
• Human Error: Attackers can exploit users overwhelmed by frequent 2FA push notifications (e.g., through “MFA bombing”) by repeatedly sending approval requests, hoping the user eventually clicks “approve” out of frustration or confusion.

Together, these vulnerabilities demonstrate why more robust, phishing-resistant solutions are needed. Traditional passwords and legacy MFA systems simply aren’t equipped to handle modern, ever-evolving threats.

Recognizing escalating cyber risks, the U.S. government has intensified its focus on cybersecurity. A Executive Order on Strengthening Cybersecurity outlines the key initiatives.

Two main points of the Executive Order stood out as they focus on the authentication domain:

1. Securing Identity Management Systems: Emphasis on more robust user authentication for federal systems, pushing for phishing-resistant methods that offer more security than passwords or basic 2FA.
2. Promoting Phishing-Resistant MFA: The Executive Order advocates for modern authentication protocols like WebAuthn and FIDO2, setting a new precedent for stronger security across both public and private sectors.

Despite these efforts, many organizations still rely on outdated authentication methods, leaving gaps that sophisticated attackers continue to exploit.

Passkeys align directly with the government’s emphasis on phishing-resistant MFA. By leveraging public-key cryptography and domain-binding, passkeys eliminate the need for shared secrets, thereby lowering the risk of compromise.

• Zero Trust Architecture: This security model insists on strict identity verification for every access attempt. Passkeys fit seamlessly into this paradigm, offering an easy yet secure login process.
• Advanced Identity and Access Management (IAM): As federal agencies modernize their IAM frameworks, passkeys offer a secure, scalable solution that meets the new standards for phishing resistance and robust authentication.

By driving these changes, the U.S. government is not only addressing current cybersecurity challenges but also accelerating the broader adoption of passkeys as the new benchmark for secure authentication.

The new Trump administration has not yet made any official announcements regarding passkeys. However, given that Trump himself has been a victim of credential theft (see the introduction section) and that passkeys have the potential to save taxpayers money by reducing SMS OTP costs for government portal logins, we expect that Donald Trump and Elon Musk would be in favor of passkeys.

Notably, all of Elon Musk’s companies (e.g. Tesla, SpaceX, X) internally use YubiKeys, which are based on FIDO2 - the same protocol as passkeys. While it is not feasible to deploy hardware security keys (such as YubiKeys) to the entire U.S. population, passkeys could be deployed as they provide the same phishing-resistant benefits and are a viable solution for large-scale consumer adoption.

The surge in cyberattacks reveals a hidden truth: traditional authentication mechanisms are against today’s threats. Weak passwords, easily circumvented MFA methods, and increasingly sophisticated threats call for a solution that is both resilient and user-friendly.

Most current authentication hinges on shared secrets, passwords, PINs, and 2FA codes that can be stolen, phished, or intercepted. Even two-factor authentication has come under attack through techniques like SIM swapping and MFA fatigue. As long as credentials can be intercepted or tricked away from users, they remain a target.

Passkeys solve these issues by utilising asymmetric cryptography and domain-binding where attackers have nothing to phish, intercept, or steal resulting in both stronger security and a better user experience.

The U.S. government has recognized the urgency of cyber threats. Through the Executive Order on Strengthening Cybersecurity, federal agencies are mandated to adopt phishing-resistant MFA, including standards like WebAuthn and FIDO2. This move offers a clear blueprint for both federal entities and private businesses to follow.

Passkeys fully meet these requirements. They provide a phishing-resistant, future-ready method of authentication that not only satisfies existing mandates but also positions organizations to adapt to future regulations.

The cost of inaction is on the rise, with data breaches costing U.S. companies billions of dollars each year. Regulatory scrutiny is also intensifying; organizations that lag in adopting modern security measures risk facing both reputational and financial consequences.

By implementing passkeys, businesses:

• Stay Ahead of Emerging Cyber Threats: Anticipate attackers’ next moves by using technologies that remove common attack vectors entirely.
• Align with Federal Standards: The government’s push for phishing-resistant MFA signals impending changes in compliance requirements.
• Enhance Trust and User Experience: Stronger security fosters customer confidence, and a frictionless login process can significantly improve user satisfaction.

In a time of continuous cyber threats, passkeys offer the resilient, user-friendly authentication method that both the government and industry experts have been seeking.

In this blog post, we analyzed that current authentication methods, including 2FA, fail in a modern threat landscape because of more and more complex attacks.

To counter that the U.S. government is pushing to secure identity management systems and promoting phishing-resistant MFA in accordance with WebAuthn and FIDO2 standards.

In accordance with this push of the US government, passkeys offer a great solution to counter phishing attacks and save costs on SMS OTPs. Moreover, while the likelihood of incidents involving wire fraud passkey, wire fraud passkeys, or passkey wire fraud remains relatively low, these concerns further emphasize the critical need to adopt robust, modern authentication methods.