---
url: 'https://www.corbado.com/blog/enisa-passkeys'
title: 'European Union Agency for Cybersecurity (ENISA) & Passkeys'
description: 'Learn why ENISA backs passkeys as Europe’s top phishing-resistant MFA solution to boost cyber security, how to implement them and their business benefits'
lang: 'en'
author: 'Alex'
date: '2025-07-23T16:20:31.326Z'
lastModified: '2026-03-27T07:01:40.558Z'
keywords: 'ENISA passkeys, ENISA passkeys, European Union Agency for Cybersecurity passkeys, NIS2 passkeys, EU MFA guide, passwordless EU'
category: 'Authentication'
---

# European Union Agency for Cybersecurity (ENISA) & Passkeys

## Key Facts

- **ENISA's NIS2 Technical Implementation Guide**, published June 26, 2025, officially
  recognizes passkeys as the strongest available phishing-resistant MFA method across
  Europe.
- ENISA defines passkeys as credentials that are **domain-bound** per FIDO and W3C
  WebAuthn standards, making them inherently immune to phishing and Man-in-the-Middle
  attacks by design.
- ENISA's **MFA rollout criteria** include phishing resistance, secure fallbacks, user
  empowerment and vigilant operations, all of which passkeys satisfy through cryptographic
  design and native OS integration.
- Phishing ranks among Europe's top cyber threats per ENISA's **Threat Landscape Report**,
  affecting finance, healthcare and government sectors across organizations of all sizes.

## 1. Introduction

[Phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed) have become one of the most pressing
cybersecurity threats across Europe, exposing businesses and individuals to significant
risks. Traditional methods of authentication (such as passwords, SMS OTPs, and even
app-based solutions) continue to fall short in preventing these increasingly sophisticated
cyber threats. Recognizing this urgent issue, ENISA, the European Union’s agency
responsible for cybersecurity, recently emphasized the importance of adopting
[phishing](https://www.corbado.com/glossary/phishing)-resistant authentication, particularly passkeys.

In this blog, we are going to focus on these three essential questions:

1. Why does ENISA recognize passkeys as the strongest
   [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA solution?

2. What specific guidance does ENISA provide for organizations implementing MFA and why do
   passkeys align perfectly with these guidelines?

3. Why is [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA critically important for European
   businesses today?

## 2. Who is ENISA and what includes their tasks?

ENISA, the [**European Union Agency for Cybersecurity**](https://www.enisa.europa.eu/), is
the EU’s central agency dedicated to improving cybersecurity and resilience across Europe.
Established in 2004, ENISA’s primary mission is to help member states, European
institutions, and businesses safeguard their digital environments and effectively manage
cybersecurity threats.

A few of the most important tasks that inlcude ENISAs operating space are:

- shaping cybersecurity strategies

- developing guidelines

- providing practical recommendations for [governments](https://www.corbado.com/passkeys-for-public-sector) and
  businesses

- coordinating responses to significant cyber incidents

- ensuring quick and effective action to protect infrastructure

Due to its authoritative role, ENISA has substantial influence over European cybersecurity
policy and regulation, notably through frameworks such as the
[**NIS2 Directive**](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) and
the
[**Cybersecurity Act**](https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act).
The agency is widely regarded as a trusted source for cybersecurity best practices, with
its recommendations setting benchmarks for protecting Europe’s digital economy.

Given ENISA’s influential position and expertise, their recent recognition of passkeys as
the strongest available phishing-resistant authentication signals a substantial step
forward in Europe’s cybersecurity landscape. With this endorsement, ENISA sets a clear
standard that businesses and public entities across Europe are encouraged to follow.

## 3. ENISA recognizes passkeys as the strongest solution of phishing resistant MFA

In their
[**NIS2 Technical Implementation Guide**](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance),
published on June 26, 2025, ENISA officially acknowledged passkeys (or as named in the
guide “a domain, in accordance with Fast Identity Online (FIDO) and W3C WebAuthn
standards”) as the strongest available method of phishing-resistant multi-factor
authentication (MFA). Within this influential guide, the agency emphasizes passkeys’
unique ability to mitigate [vulnerabilities](https://www.corbado.com/glossary/vulnerability) inherent in
traditional authentication methods like passwords, SMS codes, or email OTPs. Passkeys
provide the best protection by leveraging advanced cryptographic techniques and biometric
verification, significantly reducing the risk of
[phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed).

To evaluate MFA security solutions, ENISA applies stringent criteria including phishing
resistance and robustness of underlying technologies. Passkeys consistently outperform
other MFA methods according to these benchmarks due to their built-in phishing resistance
and seamless user experience (per definition strong MFA methods must be inherently immune
to phishing and Man-in-the-Middle attacks, meaning an attacker can not possibly trick a
user into revealing credentials).

Furthermore, ENISA’s position aligns with the broader cybersecurity industry’s consensus,
echoing similar recommendations from prominent organizations such as the
[FIDO Alliance](https://www.corbado.com/glossary/fido-alliance), the U.S. Cybersecurity and Infrastructure
Security Agency (CISA), and the National Institute of Standards and Technology (NIST).

ENISA’s endorsement in their NIS2 guide carries practical implications for European
businesses, signaling a clear incentive to adopt passkeys as the preferred standard for
strong authentication. Organizations across Europe are now encouraged, both for
cybersecurity resilience and [regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks), to
prioritize passkeys in their MFA implementation strategies.

![ENISA-Technical-Implementation.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/ENISA_Technical_Implementation_47eead56d3.png)

## 4. What key info does ENISA recommend following when implementing MFA methods and why do passkeys fit perfectly?

In its NIS2 Technical Implementation Guide, ENISA lays out concrete guidance tips for MFA
roll-outs: seamless integration, secure fallback, user empowerment, vigilant operations,
and vendor selection. In the following sections, we’ll examine each recommendation in turn
and demonstrate how passkeys (the [FIDO2](https://www.corbado.com/glossary/fido2)/WebAuthn standard) not only
meet but exceed ENISA’s criteria for true
[phishing-resistance](https://www.corbado.com/blog/passkeys-phishing-resistant), user simplicity, and
[future-proof](https://www.corbado.com/faq/are-passkeys-the-future) compliance.

### 4.1 Plan for Loss and Secure Fallbacks

**ENISA’s Recommendation:** A robust MFA rollout must include hardened, well-documented
recovery paths for users who lose or replace their authentication device. For example
defining out-of-band verification steps (for example, a help-desk call with secondary
identity checks) and thinking of mechanisms, such as emergency admin overriding or
temporary codes, to be used only under strict controls.

**Why Passkeys Are Ideal:** Unlike one-time passwords tied to a single device, modern
passkey implementations allow users to back up their private credentials into a secure,
user-controlled vault (e.g. [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or
[Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)). If a device is lost,
the user simply signs in on a new device and their passkey, protected by biometric or PIN,
syncs down securely.

### 4.2 Empower and Educate Your Users

**ENISA’s Recommendation**: ENISA underscores the importance of user education after
rollout. Pilot programs and targeted training help in this case: using a small group of
users on board first to uncover UX issues, then rolling out clear documentation and “quick
reference” guides. Teaching users how to register and use MFA, and showing them what a
genuine versus a suspicious prompt for credentials looks like.

**Why Passkeys Are Ideal**: Passkeys reduce user confusion to almost zero. There’s no
six-digit code to copy or paste, no password to remember and no aditional app to use, just
a familiar biometric scan or device-PIN unlock, followed by a single tap. Native browser
or OS dialogs (“example.com wants to use your passkey”) reinforce correct origin-checking
behavior, training users by design to [watch](https://www.corbado.com/blog/how-to-use-passkeys-apple-watch) for
mismatched domains. The result is fewer help-desk tickets and higher adoption.

### 4.3 Operate and Maintain

**ENISA’s Recommendation**: Continuous monitoring is key. ENISA advises logging every MFA
event (registrations, authentication attempts, successes and failures) and feeding that
data into your SIEM or UEBA for real-time anomaly detection. Equally important is keeping
all components up to date: the authentication server, client libraries, and any hardware
tokens.

**Why Passkeys Are Ideal**: WebAuthn-compliant libraries emit rich, structured event data
(public key IDs, relying-party IDs, user handles) that slide straight into most logging
frameworks. And because passkey support lives in mainstream browsers and operating-system
updates, you benefit from industry-wide security patches without juggling multiple
proprietary clients or firmware versions.

## 5. Why is Phishing-Resistant MFA Important for European Businesses?

[Phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed) have rapidly become one of the most
pressing cybersecurity threats in Europe. European businesses today face a digital
landscape characterized by increasingly sophisticated, targeted cyberattacks designed to
steal sensitive information, disrupt services, and cause significant financial and
reputational damage. According to ENISA’s
[**Threat Landscape Report**](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024),
phishing remains among the top cyber threats affecting organizations across all sectors,
including finance, [healthcare](https://www.corbado.com/passkeys-for-healthcare), and
[government](https://www.corbado.com/passkeys-for-public-sector) institutions. These attacks continue to increase
in frequency and complexity, posing a serious security challenge to businesses of all
sizes.

Traditional MFA methods such as SMS codes, email-based OTPs, or password-based solutions
have consistently demonstrated [vulnerabilities](https://www.corbado.com/glossary/vulnerability), allowing
attackers to [exploit](https://www.corbado.com/glossary/exploit) weaknesses through methods like
[SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk), social engineering, and
credential theft. In response, ENISA actively guides European organizations toward
stronger, phishing-resistant authentication solutions. The agency’s strategic initiatives,
including the recent [NIS2 Directive](https://www.corbado.com/blog/cyber-security-compliance), emphasize that
phishing-resistant MFA is now a critical cybersecurity standard businesses should adopt
without delay.

For European businesses, implementing phishing-resistant MFA—such as passkeys—is now both
a security imperative and a strategic business decision. By adopting strong authentication
measures, organizations can significantly reduce the risk of costly phishing attacks,
enhance customer trust, and improve
[regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks). Conversely, neglecting to
implement these robust solutions increases [vulnerability](https://www.corbado.com/glossary/vulnerability) to
cyber threats, regulatory scrutiny, and potential long-term reputational damage.

## 6. Conclusion

As cyber threats continue to rise in frequency and sophistication across Europe, ENISA’s
recent endorsement of passkeys represents a decisive step forward in strengthening
cybersecurity resilience. Passkeys not only address the shortcomings of traditional MFA
methods but also fully meet ENISA’s criteria for secure, user-friendly, and
phishing-resistant authentication. In this blog, we covered the following essential
questions:

**Why does ENISA recognize passkeys as the strongest phishing-resistant MFA solution?**
ENISA identifies passkeys as superior due to their advanced cryptographic security,
built-in resistance to phishing attacks, and alignment with international cybersecurity
standards.

**What specific guidance does ENISA provide for organizations implementing MFA, and why do
passkeys align perfectly with these guidelines?** ENISA’s MFA implementation guidelines
stress seamless integration, secure recovery methods, user empowerment, and vigilant
operations, criteria passkeys inherently satisfy through secure backups, intuitive UX, and
standardized logging capabilities.

**Why is phishing-resistant MFA critically important for European businesses today?**
Given phishing’s position as one of Europe’s most prevalent cyber threats, implementing
phishing-resistant MFA such as passkeys is now vital for businesses to protect sensitive
data, ensure [regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks), and maintain trust
among customers and [stakeholders](https://www.corbado.com/blog/passkeys-stakeholder).

## Frequently Asked Questions

### How does ENISA's NIS2 Technical Implementation Guide classify passkeys compared to other MFA methods?

ENISA's NIS2 Technical Implementation Guide, published June 26, 2025, classifies passkeys
as the strongest available phishing-resistant MFA method. The guide describes them as
credentials bound to a domain in accordance with FIDO and W3C WebAuthn standards, placing
them above SMS OTPs, email codes and password-based solutions.

### Why do SMS OTPs and email-based codes fail ENISA's phishing-resistance criteria?

ENISA's phishing-resistance criteria require authentication methods to be inherently
immune to phishing and Man-in-the-Middle attacks, meaning an attacker cannot trick a user
into revealing credentials. SMS OTPs and email codes fail this test because they remain
exploitable through SIM swapping, social engineering and credential theft.

### How should organizations handle passkey recovery when a user loses their device, according to ENISA's NIS2 guidance?

ENISA's NIS2 Technical Implementation Guide requires hardened, documented recovery paths
including out-of-band verification steps and strict emergency override controls. Passkeys
address this by syncing private credentials to user-controlled vaults such as iCloud
Keychain or Google Password Manager, allowing a replacement device to restore access
securely.

### Which global organizations share ENISA's position that passkeys are the strongest phishing-resistant MFA?

ENISA's recognition of passkeys aligns with the FIDO Alliance, the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) and the National Institute of Standards and
Technology (NIST). This cross-organizational consensus positions passkeys as a globally
recognized authentication standard rather than solely a European regulatory preference.