European Union Agency for Cybersecurity (ENISA) & Passkeys

Phishing attacks have become one of the most pressing cybersecurity threats across Europe, exposing businesses and individuals to significant risks. Traditional methods of authentication (such as passwords, SMS OTPs, and even app-based solutions) continue to fall short in preventing these increasingly sophisticated cyber threats. Recognizing this urgent issue, ENISA, the European Union’s agency responsible for cybersecurity, recently emphasized the importance of adopting phishing-resistant authentication, particularly passkeys.

In this blog, we are going to focus on these three essential questions:

1. Why does ENISA recognize passkeys as the strongest phishing-resistant MFA solution?

2. What specific guidance does ENISA provide for organizations implementing MFA and why do passkeys align perfectly with these guidelines?

3. Why is phishing-resistant MFA critically important for European businesses today?

ENISA, the European Union Agency for Cybersecurity, is the EU’s central agency dedicated to improving cybersecurity and resilience across Europe. Established in 2004, ENISA’s primary mission is to help member states, European institutions, and businesses safeguard their digital environments and effectively manage cybersecurity threats.

A few of the most important tasks that inlcude ENISAs operating space are:

• shaping cybersecurity strategies

• developing guidelines

• providing practical recommendations for governments and businesses

• coordinating responses to significant cyber incidents

• ensuring quick and effective action to protect infrastructure

Due to its authoritative role, ENISA has substantial influence over European cybersecurity policy and regulation, notably through frameworks such as the NIS2 Directive and the Cybersecurity Act. The agency is widely regarded as a trusted source for cybersecurity best practices, with its recommendations setting benchmarks for protecting Europe’s digital economy.

Given ENISA’s influential position and expertise, their recent recognition of passkeys as the strongest available phishing-resistant authentication signals a substantial step forward in Europe’s cybersecurity landscape. With this endorsement, ENISA sets a clear standard that businesses and public entities across Europe are encouraged to follow.

In their NIS2 Technical Implementation Guide, published on June 26, 2025, ENISA officially acknowledged passkeys (or as named in the guide “a domain, in accordance with Fast Identity Online (FIDO) and W3C WebAuthn standards”) as the strongest available method of phishing-resistant multi-factor authentication (MFA). Within this influential guide, the agency emphasizes passkeys’ unique ability to mitigate vulnerabilities inherent in traditional authentication methods like passwords, SMS codes, or email OTPs. Passkeys provide the best protection by leveraging advanced cryptographic techniques and biometric verification, significantly reducing the risk of phishing attacks.

To evaluate MFA security solutions, ENISA applies stringent criteria including phishing resistance and robustness of underlying technologies. Passkeys consistently outperform other MFA methods according to these benchmarks due to their built-in phishing resistance and seamless user experience (per definition strong MFA methods must be inherently immune to phishing and Man-in-the-Middle attacks, meaning an attacker can not possibly trick a user into revealing credentials).

Furthermore, ENISA’s position aligns with the broader cybersecurity industry’s consensus, echoing similar recommendations from prominent organizations such as the FIDO Alliance, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST).

ENISA’s endorsement in their NIS2 guide carries practical implications for European businesses, signaling a clear incentive to adopt passkeys as the preferred standard for strong authentication. Organizations across Europe are now encouraged, both for cybersecurity resilience and regulatory compliance, to prioritize passkeys in their MFA implementation strategies.

In its NIS2 Technical Implementation Guide, ENISA lays out concrete guidance tips for MFA roll-outs: seamless integration, secure fallback, user empowerment, vigilant operations, and vendor selection. In the following sections, we’ll examine each recommendation in turn and demonstrate how passkeys (the FIDO2/WebAuthn standard) not only meet but exceed ENISA’s criteria for true phishing-resistance, user simplicity, and future-proof compliance.

ENISA’s Recommendation: A robust MFA rollout must include hardened, well-documented recovery paths for users who lose or replace their authentication device. For example defining out-of-band verification steps (for example, a help-desk call with secondary identity checks) and thinking of mechanisms, such as emergency admin overriding or temporary codes, to be used only under strict controls.

Why Passkeys Are Ideal: Unlike one-time passwords tied to a single device, modern passkey implementations allow users to back up their private credentials into a secure, user-controlled vault (e.g. iCloud Keychain or Google Password Manager). If a device is lost, the user simply signs in on a new device and their passkey, protected by biometric or PIN, syncs down securely.

ENISA’s Recommendation: ENISA underscores the importance of user education after rollout. Pilot programs and targeted training help in this case: using a small group of users on board first to uncover UX issues, then rolling out clear documentation and “quick reference” guides. Teaching users how to register and use MFA, and showing them what a genuine versus a suspicious prompt for credentials looks like.

Why Passkeys Are Ideal: Passkeys reduce user confusion to almost zero. There’s no six-digit code to copy or paste, no password to remember and no aditional app to use, just a familiar biometric scan or device-PIN unlock, followed by a single tap. Native browser or OS dialogs (“example.com wants to use your passkey”) reinforce correct origin-checking behavior, training users by design to watch for mismatched domains. The result is fewer help-desk tickets and higher adoption.

ENISA’s Recommendation: Continuous monitoring is key. ENISA advises logging every MFA event (registrations, authentication attempts, successes and failures) and feeding that data into your SIEM or UEBA for real-time anomaly detection. Equally important is keeping all components up to date: the authentication server, client libraries, and any hardware tokens.

Why Passkeys Are Ideal: WebAuthn-compliant libraries emit rich, structured event data (public key IDs, relying-party IDs, user handles) that slide straight into most logging frameworks. And because passkey support lives in mainstream browsers and operating-system updates, you benefit from industry-wide security patches without juggling multiple proprietary clients or firmware versions.

Phishing attacks have rapidly become one of the most pressing cybersecurity threats in Europe. European businesses today face a digital landscape characterized by increasingly sophisticated, targeted cyberattacks designed to steal sensitive information, disrupt services, and cause significant financial and reputational damage. According to ENISA’s Threat Landscape Report, phishing remains among the top cyber threats affecting organizations across all sectors, including finance, healthcare, and government institutions. These attacks continue to increase in frequency and complexity, posing a serious security challenge to businesses of all sizes.

Traditional MFA methods such as SMS codes, email-based OTPs, or password-based solutions have consistently demonstrated vulnerabilities, allowing attackers to exploit weaknesses through methods like SIM swapping, social engineering, and credential theft. In response, ENISA actively guides European organizations toward stronger, phishing-resistant authentication solutions. The agency’s strategic initiatives, including the recent NIS2 Directive, emphasize that phishing-resistant MFA is now a critical cybersecurity standard businesses should adopt without delay.

For European businesses, implementing phishing-resistant MFA—such as passkeys—is now both a security imperative and a strategic business decision. By adopting strong authentication measures, organizations can significantly reduce the risk of costly phishing attacks, enhance customer trust, and improve regulatory compliance. Conversely, neglecting to implement these robust solutions increases vulnerability to cyber threats, regulatory scrutiny, and potential long-term reputational damage.

As cyber threats continue to rise in frequency and sophistication across Europe, ENISA’s recent endorsement of passkeys represents a decisive step forward in strengthening cybersecurity resilience. Passkeys not only address the shortcomings of traditional MFA methods but also fully meet ENISA’s criteria for secure, user-friendly, and phishing-resistant authentication. In this blog, we covered the following essential questions:

Why does ENISA recognize passkeys as the strongest phishing-resistant MFA solution? ENISA identifies passkeys as superior due to their advanced cryptographic security, built-in resistance to phishing attacks, and alignment with international cybersecurity standards.

What specific guidance does ENISA provide for organizations implementing MFA, and why do passkeys align perfectly with these guidelines? ENISA’s MFA implementation guidelines stress seamless integration, secure recovery methods, user empowerment, and vigilant operations, criteria passkeys inherently satisfy through secure backups, intuitive UX, and standardized logging capabilities.

Why is phishing-resistant MFA critically important for European businesses today? Given phishing’s position as one of Europe’s most prevalent cyber threats, implementing phishing-resistant MFA such as passkeys is now vital for businesses to protect sensitive data, ensure regulatory compliance, and maintain trust among customers and stakeholders.