Why the FBI backs Passkeys in Operation Winter SHIELD

1. Introduction: Operation Winter SHIELD and passkeys#

On January 28, 2026, the FBI launched Operation Winter SHIELD, a two-month cyber resilience campaign built around ten high-impact defensive actions drawn from real investigations. What makes it unusual for an authentication audience is the first of those actions: adopt phish-resistant authentication and deploy FIDO2-compliant security keys or device-bound passkeys for authentication, remote access and critical systems, while eliminating SMS-based MFA and legacy authentication along the way. Coming directly from the FBI and explicitly naming passkeys, Winter SHIELD is one of the clearest public-sector signals yet that the baseline for enterprise and consumer authentication is shifting from generic MFA to phishing-resistant methods.

In this article, we answer the following key questions:

• What is Operation Winter SHIELD?
• Why does the FBI mention passkeys explicitly now?
• Why is traditional MFA no longer enough?
• Why does the FBI specifically mention device-bound passkeys?
• How does this fit with Microsoft, NIST and CISA?
• What does this mean for workforce IAM, privileged access and CIAM rollouts?

2. What is Operation Winter SHIELD?#

Operation Winter SHIELD is the FBI's cyber resilience campaign for 2026, not a classic headline-driven enforcement operation centered on arrests. According to official FBI field office announcements from Seattle and Philadelphia, the initiative was designed to strengthen defenses across the country by promoting 10 actionable cyber defenses drawn from real investigations and real defensive gaps.

That framing matters. Winter SHIELD is not positioned as a theoretical best-practice list. The FBI presents it as a roadmap based on what repeatedly made the difference in real cases. The campaign focuses on ten high-impact controls, summarized below, with phishing-resistant authentication as the first and most relevant for identity and access teams.

There is also a small but important timing nuance. The FBI launched Winter SHIELD on January 28, 2026 as a two-month campaign, while Microsoft described it as a nine-week initiative beginning February 2, 2026. The clearest way to interpret this is that Winter SHIELD was an early-2026 campaign, but its guidance is not time-limited. The awareness push may fade, yet the recommendations remain useful because the underlying attack patterns remain highly current.

3. Why does the FBI mention passkeys explicitly?#

The most important point for passkey adoption is the FBI's wording around authentication. In Winter SHIELD materials, the bureau tells organizations to adopt phish-resistant authentication, prioritize administrators, executives and other high-impact accounts, and deploy FIDO2-compliant security keys or device-bound passkeys for authentication, remote access and critical systems.

Just as importantly, the FBI says organizations should eliminate SMS-based MFA and disable legacy authentication methods. That is a much sharper signal than older public guidance that simply encouraged "strong MFA" in the abstract. It reflects a real change in language from "use another factor" to "use a factor that is structurally resistant to phishing."

That is what makes Winter SHIELD relevant for security and IAM teams. This is not just another public-sector mention of passkeys. It is a clear signal that the conversation is moving away from generic MFA and toward phishing-resistant authentication as an operational requirement. For organizations still relying on OTP apps, push prompts or SMS codes, that distinction matters because it changes what the real target state should be.

4. Why is traditional MFA no longer enough?#

Traditional MFA is no longer sufficient because most common second factors, including SMS codes, push notifications and OTP apps, can still be bypassed through phishing, adversary-in-the-middle attacks or SIM swaps. Winter SHIELD lands at a moment when the weakness of traditional MFA is already well understood by defenders. Passwords remain highly attackable, and many second factors remain phishable. Reverse-proxy phishing, adversary-in-the-middle kits, MFA fatigue, SIM swap fraud and legacy protocols all help attackers bypass what many teams still call "strong MFA."

Microsoft's data captures both sides of this gap. According to Microsoft's May 2025 passkey update, the company observed 7,000 password attacks per second in 2024, while its Digital Defense Report 2025 attributes 97% of identity attacks to password spray or brute force. On the other side, Microsoft now sees roughly one million passkey registrations per day, passkey sign-ins succeed about 98% of the time versus 32% for passwords, and passkey flows are eight times faster than password plus MFA. The contrast is summarized below.

In other words, Winter SHIELD is not pushing an idealistic security model that teams cannot deploy. It aligns with a method that is both more resistant and more usable.

5. Why does the FBI mention device-bound passkeys?#

A device-bound passkey is a cryptographic credential that stays on a single physical device and does not sync to the cloud. A synced passkey, by contrast, is stored in a cloud keychain such as iCloud Keychain or Google Password Manager and becomes available across all devices tied to that account. Both are passkeys, but they fit different assurance contexts.

The FBI does not just say "passkeys." It says device-bound passkeys. That wording is important because Winter SHIELD discusses authentication in the context of high-impact accounts, remote access and critical systems. In those environments, assurance and control often matter more than maximum portability. For a deeper comparison of when device-bound versus synced passkeys fit best, see our dedicated analysis of device-bound vs synced passkeys.

Device-bound passkeys fit that context well:

• They reduce credential portability across unmanaged devices.
• They align well with managed endpoint policies and MDM controls.
• They support faster offboarding and clearer device trust boundaries.
• They map naturally to privileged access and high-assurance workflows.

That does not mean synced passkeys are invalid or insecure. This is where nuance matters. NIST's supplement on syncable authenticators explicitly says that properly implemented syncable authenticators, in practice synced passkeys, can be phishing-resistant and can support AAL2. NIST's point is not that only device-bound models count. Its point is that different authenticator models fit different risk profiles.

So the clean interpretation is this: the FBI's wording reflects a high-assurance enterprise context, not a universal rule for every passkey deployment. For admin accounts and critical systems, device-bound passkeys are a logical recommendation. For large-scale consumer sign-in journeys, synced passkeys often remain the right choice because recovery and multi-device use matter more.

6. How does this fit with Microsoft, NIST and CISA?#

Winter SHIELD does not stand alone. It fits a broader shift in U.S. security guidance toward phishing-resistant authentication.

Microsoft: In its Winter SHIELD post, Microsoft argues that the central problem is not lack of awareness but an implementation gap: organizations know what matters, but too often fail to operationalize it consistently.

NIST: NIST has already established the technical foundation for this shift. Its 2024 guidance on syncable authenticators says that passkeys can provide phishing-resistant authentication and can be used at AAL2 when implemented correctly. That is crucial for CIAM and public-facing use cases where usability and recovery are core design constraints.

CISA: In its Implementing Phishing-Resistant MFA fact sheet, CISA calls phishing-resistant MFA the gold standard, says FIDO/WebAuthn is the only widely available phishing-resistant authentication, and states that SMS or voice MFA should only be used as a last resort.

Federal policy direction: The broader federal direction has been clear since the OMB Zero Trust memo M-22-09, which requires phishing-resistant MFA for federal agency staff, contractors and partners, and mandates that public-facing federal systems supporting MFA offer phishing-resistant authentication as an option. Winter SHIELD therefore looks less like a standalone surprise and more like a practical law-enforcement confirmation of a trend already visible across U.S. cybersecurity guidance.

7. What does this mean for workforce IAM and privileged access?#

For workforce IAM teams, Winter SHIELD suggests a very practical rollout order: start with the accounts attackers want most.

That means prioritizing:

• administrators and highly privileged operators
• executives and finance-adjacent users
• remote access users
• contractors and third parties with sensitive network access
• accounts tied to critical systems and infrastructure

For these cohorts, the most defensible interpretation of Winter SHIELD is:

• Require phishing-resistant authentication first for the highest-risk identities.
• Remove SMS-based MFA and legacy protocols from those paths.
• Prefer device-bound passkeys or FIDO2 security keys where assurance and device governance are critical.
• Treat recovery and de-provisioning as part of the rollout, not as an afterthought.

Many organizations still talk about "moving to MFA" as if the main job were checking a compliance box. Winter SHIELD shows that for privileged access, the real target state is phishing-resistant authentication with fewer legacy escape hatches.

8. What does this mean for CIAM and customer rollouts?#

The CIAM takeaway is different. Winter SHIELD is highly relevant, but its language should not be overextended. The FBI is speaking in the context of critical systems, remote access and high-impact accounts. That is not the same thing as a mass-market consumer login flow.

For CIAM teams, the most important lesson is not "force device-bound everywhere." It is instead:

• stop treating generic MFA as the final destination
• design toward phishing-resistant login as the long-term baseline
• model assurance levels separately from adoption requirements
• use synced passkeys where recovery, portability and cross-device usage are decisive

This distinction matters because consumer and citizen-facing deployments have to solve for adoption at scale. If recovery is too brittle or device portability is too limited, users fall back to weaker factors, often passwords, OTPs or SMS. NIST's guidance is helpful here because it explicitly creates room for syncable passkeys in lower-friction, public-facing environments while still recognizing that higher-assurance contexts may justify stricter controls.

9. What should companies do now?#

A reasonable Winter SHIELD response plan looks like this:

• Inventory your phishable auth paths: especially SMS MFA, push-only approvals and legacy authentication protocols.
• Rank identities by impact: admins, executives, remote access and critical operators should move first.
• Choose the right passkey model by use case: device-bound for high-assurance internal contexts, synced where scale and recovery matter more.
• Remove insecure fallbacks: a passkey rollout does not solve much if legacy auth and SMS remain easy bypass paths.
• Instrument rollout and login performance: success rates, fallback usage and recovery friction determine whether the migration actually works.

This is the strategic value of Winter SHIELD. It reframes passkeys from a new authentication feature into part of an evidence-based resilience program.

10. Conclusion#

Operation Winter SHIELD matters because it shows how far the market has moved. The FBI is no longer communicating about authentication as a generic "more MFA is better" topic. It is communicating in the language of phishing-resistant authentication, explicitly naming FIDO2 security keys and device-bound passkeys, while telling organizations to get rid of SMS-based MFA and legacy authentication.

That makes Winter SHIELD especially relevant for teams evaluating passkeys today. It is not a vendor message, and it is not just a product announcement. It is an official, practice-oriented statement that ties passkeys to the controls that matter most in real incidents.

In this article, we covered the following core questions:

• What is Operation Winter SHIELD? It is the FBI's early-2026 cyber resilience campaign, built around ten prioritized defenses informed by real investigations and attacker behavior.
• Why does the FBI mention passkeys explicitly? Because the bureau is signaling that phishing-resistant authentication is now a practical defensive baseline, not an optional innovation topic.
• Why is traditional MFA no longer enough? Because passwords, SMS, OTP phishing and legacy protocols still give attackers a reliable path into accounts and systems.
• Why does the FBI say device-bound passkeys? Because Winter SHIELD is aimed at high-assurance scenarios like privileged access, remote access and critical systems.
• What does this mean for enterprises? Prioritize high-impact accounts, remove phishable fallbacks and map synced versus device-bound passkeys to the right use cases instead of treating them as interchangeable.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

Frequently Asked Questions#

Does the FBI really recommend passkeys?#

Yes, the FBI officially recommends passkeys. In its 2026 Operation Winter SHIELD campaign, the bureau explicitly names FIDO2-compliant security keys and device-bound passkeys as phishing-resistant authentication for authentication, remote access and critical systems. This is the clearest public-sector endorsement of passkeys by U.S. law enforcement to date.

Why is Operation Winter SHIELD more important than a generic MFA recommendation?#

Operation Winter SHIELD is more important than a generic MFA recommendation because the FBI does not just say to enable MFA. The bureau explicitly calls for phishing-resistant authentication, tells organizations to eliminate SMS-based MFA and disable legacy authentication, and frames these recommendations as lessons drawn from real investigations rather than theoretical best practices.

Why does the FBI mention device-bound passkeys instead of just passkeys in general?#

The FBI mentions device-bound passkeys specifically because Winter SHIELD addresses high-impact accounts, remote access and critical systems. Device-bound passkeys fit these high-assurance enterprise scenarios better than synced passkeys because they offer stronger device control, limited credential portability and tighter administrative governance. For consumer CIAM rollouts, synced passkeys remain a valid choice.

Does this mean synced passkeys are no longer valid?#

No, synced passkeys remain valid. NIST has clarified that properly implemented syncable authenticators, commonly called synced passkeys, can still be phishing-resistant and can support AAL2. The distinction is not that one model is valid and the other is not, but that different assurance levels fit different use cases. Synced passkeys are often the right choice for consumer-facing deployments where recovery and multi-device use drive adoption.

Is SMS-based MFA still considered secure in 2026?#

No, SMS-based MFA is no longer considered secure. The FBI's Winter SHIELD campaign explicitly tells organizations to eliminate SMS-based MFA, and CISA states that SMS or voice MFA should only be used as a last resort. SMS codes are vulnerable to SIM swap attacks, phishing and interception. Organizations should move to phishing-resistant alternatives like FIDO2 security keys or passkeys.

What is the difference between FIDO2 security keys and passkeys?#

FIDO2 security keys are physical hardware devices, such as YubiKeys, that store cryptographic credentials and connect via USB, NFC or Bluetooth. Passkeys are software-based cryptographic credentials stored on a phone, laptop or cloud account. Both use the same FIDO2/WebAuthn standard and are phishing-resistant. Security keys are often preferred for the highest-assurance workforce scenarios, while passkeys are better suited for mainstream consumer and employee adoption.