---
url: 'https://www.corbado.com/blog/cisa-passkeys-authentication'
title: 'CISA Authentication and Passkeys: Why MFA is Not Enough'
description: 'CISA''s latest guide emphasizes passkeys, showcasing the shift towards phishing-resistant MFA as the future of secure authentication'
lang: 'en'
author: 'Vincent Delitz'
date: '2024-08-19T16:02:20.452Z'
lastModified: '2026-03-25T10:00:38.970Z'
keywords: 'cisa, cisa passkeys, cisa authentication, cisa mfa, cisa secure by demand guide passkeys'
category: 'Passkeys Strategy'
---

# CISA Authentication and Passkeys: Why MFA is Not Enough

## Key Facts

- CISA's **Secure by Demand Guide** (August 2024) explicitly incorporates passkeys into
  its recommendations, joining Essential Eight and NIST guidelines in prioritizing
  phishing-resistant authentication.
- Traditional **SMS-based MFA** and authenticator apps remain vulnerable to phishing:
  attackers trick users into revealing codes, making standard multi-factor authentication
  insufficient against account takeovers.
- Passkeys use **public-key cryptography**: a private key stays on the user's device and a
  public key on the server, so credentials cannot be intercepted or stolen during a
  phishing attack.
- The **browser actively denies** passkey use on illegitimate sites, making passkeys
  inherently phishing-resistant in a way no traditional MFA method can replicate.

## 1. Introduction: CISA and Passkeys

The [Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov/) plays
an important role in safeguarding the nation's digital infrastructure. As a U.S.
[government](https://www.corbado.com/passkeys-for-public-sector) agency, CISA is tasked with leading efforts to
protect and enhance the security of the nation's cyber ecosystem. With increasing cyber
threats, CISA regularly updates its guidelines and recommendations to address risks and
ensure that both public and private sectors are equipped with the necessary tools and
strategies to mitigate those risks.

In August, CISA extended its **Secure by Design** guide. **This update specifically
highlights passkeys for authentication**. Let’s take a look, why this is the case.

## 2. Secure by Demand Guide and Passkeys

The
[Secure by Design guide](https://www.cisa.gov/sites/default/files/2023-10/Shifting-the-Balance-of-Cybersecurity-Risk-Principles-and-Approaches-for-Secure-by-Design-Software.pdf)
is a document that outlines best practices and security protocols to help organizations
develop and maintain secure systems. The latest
[extension (Secure by Demand Guide)](https://www.cisa.gov/sites/default/files/2024-08/SecureByDemandGuide_080624_508c.pdf)
explicitly incorporates passkeys into its recommendations. This inclusion is not an
isolated event but rather a continuation of a broader trend across various security
frameworks, including the Essential Eight and [NIST](https://www.corbado.com/blog/nist-passkeys) (National
Institute of Standards and Technology) guidelines, which have also begun to emphasize the
[importance of passkeys](https://www.corbado.com/faq/why-are-passkeys-important).

The focus on passkeys is driven by a critical realization: while multi-factor
authentication (MFA) significantly enhances security, it does not fully address the threat
of [phishing](https://www.corbado.com/glossary/phishing) - a major cause of account takeovers. Traditional MFA
methods, such as SMS-based codes or authentication apps, can still be vulnerable to
[phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed) where malicious actors trick users
into revealing their credentials. This [vulnerability](https://www.corbado.com/glossary/vulnerability)
underscores the need for a more resilient form of authentication.

Passkeys, which are based on public-key cryptography, offer a solution to this problem.
Unlike traditional MFA methods, passkeys are inherently
[phishing](https://www.corbado.com/glossary/phishing)-resistant because they do not rely on shared secrets that
can be intercepted or tricked out of users. Instead, they use a combination of a private
key stored on the user's device and a public key stored on the server. This ensures that
even if a user is targeted by a [phishing](https://www.corbado.com/glossary/phishing) attempt, their credentials
cannot be stolen or misused **as the browser denies its use**.

The push towards passkeys as a standard for authentication reflects that only
phishing-resistant methods can truly protect users in today's landscape.
[Governments](https://www.corbado.com/passkeys-for-public-sector) and organizations worldwide are recognizing
that passkeys represent the future of secure authentication, offering a more user-friendly
and secure alternative to traditional MFA.

## 3. Conclusion

**MFA alone is no longer sufficient to protect against sophisticated phishing attacks.**
Phishing-resistant MFA is becoming the gold standard in authentication. The
[FIDO (Fast Identity Online) Alliance](https://fidoalliance.org/cisa-secure-by-demand-guide-phishing-resistant-authentication-passkeys-by-default/)
has been instrumental in this shift, advocating for stronger, more secure authentication
methods for years. Their work, along with contributions from early pioneers like
[Yubico](https://www.yubico.com/), has laid important groundwork for the adoption of
WebAuthn – the web standard underlying
[hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) and passkeys.

**As passkeys continue to gain traction, they offer a promising future where secure,
phishing-resistant authentication is accessible to everyone**. This shift is not just a
technological upgrade but a fundamental change in how we approach digital security.

**In conclusion, while MFA has served as an essential layer of security, the future lies
in phishing-resistant multi-factor authentication.** Passkeys are the only technology for
consumers offering a secure, seamless, and resilient way to protect against the prevalent
cyber threats. As we move forward, the adoption of passkeys will be crucial in building a
safer and more secure digital world that allows all consumers to benefit from the same
security security keys have brought to high-tech and govermantal companies via security
keys.

## Frequently Asked Questions

### Why does CISA consider standard MFA insufficient for protecting against modern cyber threats?

CISA's Secure by Demand Guide recognizes that traditional MFA methods, including SMS-based
codes and authenticator apps, remain vulnerable to phishing attacks where malicious actors
trick users into revealing their credentials. Because phishing is a major cause of account
takeovers, CISA now explicitly recommends phishing-resistant methods such as passkeys as
the stronger alternative.

### How do passkeys technically prevent phishing attacks in a way that SMS MFA cannot?

Passkeys rely on public-key cryptography with no shared secret that an attacker can
intercept or social-engineer out of a user. The browser enforces origin binding, meaning
it will deny the use of a passkey on any site that is not the legitimate registered
origin, making credential theft via phishing technically impossible.

### Which government and compliance frameworks currently recommend passkeys for enterprise authentication?

CISA's Secure by Demand Guide published in August 2024 explicitly includes passkeys, and
this recommendation aligns with a broader trend also reflected in the Essential Eight and
NIST guidelines. Together these frameworks signal that phishing-resistant MFA is becoming
the regulatory gold standard for secure authentication across both public and private
sectors.

### What role has the FIDO Alliance played in driving passkey adoption for enterprise security?

The FIDO Alliance has been instrumental in advocating for stronger authentication methods
and, along with early pioneers like Yubico, laid the groundwork for WebAuthn, the web
standard underlying both hardware security keys and passkeys. CISA's Secure by Demand
Guide directly references this shift toward phishing-resistant authentication championed
by the FIDO Alliance.