Passkeys: better than multi-factor authentication

We're leaving passwords and SMS codes behind. Passkeys are a user-friendly and inherently secure online safety measure.

Have you ever struggled to remember how you devised that really strong password, with only one more attempt before you’re locked out? For years - decades - we’ve been told to make our passwords longer, stronger, and entirely unique for every service, whether it’s a website, an app or something else.

Recently, the UK’s National Cyber Security Centre (NCSC) released a technical paper comparing traditional ways of securing accounts against modern technologies, and made a startling recommendation: it’s time to retire passwords and use passkeys.

Why traditional passwords and SMS codes fail

Passwords are a “shared secret” between you and a service. Fall for a phishing email, click a fake link and provide your login details, and you’ve given an attacker everything they need to impersonate you.

Multi-Factor Authentication (MFA) or Two-Step Verification (2SV) is familiar for most people now. It relies on something you know (your password), and something you have (a text message with a code, a rolling number in an authenticator, or a push notification). It’s better than just a password, but these methods are inherently phishable.

Cybercriminals use Adversary-in-the-Middle (AitM) techniques. In this scenario, you click a fake link to a copycat banking site and provide your password and your SMS or authenticator code when prompted. The attacker can intercept both strings of text in real-time, input them into the real banking website, and impersonate you.

Traditional MFA relies a human handing over text or taking an affirmative action. If you can type a password, input a one-time code or accept a push notification, an attacker can abuse your trust.

Passkeys as the replacement

When you set up a passkey, your device creates a unique cryptographic key pair:

  • A private key that stays inside your device and never leaves it.
  • A public key that is sent to the website or app you’re logging into.

This is not new and untested technology. Public key cryptography was invented within the British intelligence service in the 1970s, and established the principles that today secures everything from websites and VPNs through to contactless payments.

When you sign in, the service sends a digital challenge to your device, typically your phone or laptop. You authenticate as you always do — by fingerprint, face scan, a PIN or something else. Your device signs the challenge using its private key and sends it back.

After a passkey has been set up, you don’t have to remember anything new, or manage an endlessly expanding list of passwords.

How passkeys defeat attackers

The NCSC’s technical analysis explains that FIDO2 credentials (the technology underpinning passkeys) are resistant to these types of credential attacks for several reasons:

1. Cryptographic domain binding

Passkeys are strictly bound to the specific domain (the website URL) where they were created, and your browser/app/device handles this automatically. Even if an attacker perfectly recreates the look of your bank’s login page on 11oydsbank.com instead of lloydsbank.com, your device simply won’t offer the passkey. Human error is completely removed from this problem.

2. There is nothing to phish

Your private key never leaves your device, so there is nothing a phishing site can harvest and reuse. Even if an attacker intercepts the authentication process, they see the one-time digital signature that can’t be reused nor be reverse-engineered.

3. No more “MFA fatigue”

Reports circulate of attackers sending users hundreds of push approval notifications, hoping the exasperated user taps ‘approve’ just to make them stop. With passkeys, the biometric check is only triggered when you are actively trying to log in using that device, never remotely.

4. Safe cross-device login

Have you ever wanted to use a streaming app on a hotel smart TV or a friend’s laptop? Typing into an untrusted device risks exposing your password to malware or keyloggers. To combat this, passkeys use a mechanism called secure cross-device flow:

  • The app displays a QR code and listens for Bluetooth connections.
  • You scan the QR code with your phone camera.
  • The data embedded in the QR code causes the phone to establish a secure Bluetooth connection with the TV/laptop.
  • Your phone prompts you to authenticate, which signs the provided challenge.
  • The signed challenge is sent back to the app over the secure Bluetooth connection.

Using QR codes and Bluetooth proves your phone is physically near to the screen, meaning remote hackers can’t hijack the authentication session.

Convenience and security

We’ve reluctantly learnt that better security for a service generally means making it more cumbersome to use. Passkeys reverse that trend. They are quicker and more user-friendly than typing complex passwords, typing a one-time code before it refreshes, or waiting for a SMS that may expire before it arrives.

Support for passkeys is limited today but the direction has been set. The NCSC wisely notes that if a website or service doesn’t support passkeys yet, the old rules still apply: you should use strong passwords (and a password manager if needed) combined with traditional 2-step verification.

As websites and services roll out passkey support, adopting them is one of the most sensible security steps you can take today. It’s more convenient and more secure for you, and stops current attacks in their tracks.

essential