---
url: 'https://www.corbado.com/blog/fbi-operation-winter-shield-passkeys'
title: 'Why the FBI backs Passkeys in Operation Winter SHIELD'
description: 'Why FBI Operation Winter SHIELD matters for passkeys, phishing-resistant MFA and the shift away from SMS and legacy authentication.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-04-16T12:05:02.870Z'
lastModified: '2026-05-12T06:01:30.500Z'
keywords: 'FBI passkeys, Operation Winter SHIELD passkeys, phishing-resistant MFA, device-bound passkeys, SMS MFA, legacy authentication'
category: 'Passkeys Strategy'
---

# Why the FBI backs Passkeys in Operation Winter SHIELD

## Key Facts

- **Explicit passkey signal**: The FBI's Operation Winter SHIELD calls for
  phishing-resistant authentication and names FIDO2-compliant security keys or
  device-bound passkeys for authentication, remote access and critical systems.
- **Beyond generic MFA**: The same FBI guidance tells organizations to eliminate SMS-based
  MFA and disable legacy authentication, making this much stronger than a generic "turn on
  MFA" recommendation.
- **Backed by market data**: Microsoft framed Winter SHIELD as a response to the security
  implementation gap, reported 7,000 password attacks per second in 2024 and said 97% of
  identity attacks were password spray or brute force attacks.
- **Aligned with broader guidance**: NIST and CISA reinforce the same direction: the
  future is not generic MFA, but phishing-resistant authentication.

## 1. Introduction: Operation Winter SHIELD and passkeys

On January 28, 2026, the FBI launched Operation Winter SHIELD, a two-month cyber
resilience campaign built around
[ten high-impact defensive actions](https://www.fbi.gov/file-repository/operation-winter-shield-slick-v8.pdf)
drawn from real investigations. What makes it unusual for an authentication audience is
the first of those actions: adopt phish-resistant authentication and deploy
[FIDO2](https://www.corbado.com/glossary/fido2)-compliant security keys or device-bound passkeys for
authentication, remote access and critical systems, while eliminating SMS-based MFA and
legacy authentication along the way. Coming directly from the FBI and explicitly naming
passkeys, Winter SHIELD is one of the clearest
[public-sector](https://www.corbado.com/passkeys-for-public-sector) signals yet that the baseline for enterprise
and consumer authentication is shifting from generic MFA to
[phishing](https://www.corbado.com/glossary/phishing)-resistant methods.

In this article, we answer the following key questions:

- What is Operation Winter SHIELD?
- Why does the FBI mention passkeys explicitly now?
- Why is traditional MFA no longer enough?
- Why does the FBI specifically mention device-bound passkeys?
- How does this fit with Microsoft, [NIST](https://www.corbado.com/blog/nist-passkeys) and
  [CISA](https://www.corbado.com/blog/cisa-passkeys-authentication)?
- What does this mean for workforce IAM, privileged access and CIAM rollouts?

## 2. What is Operation Winter SHIELD?

Operation Winter SHIELD is the FBI's cyber resilience campaign for 2026, not a classic
headline-driven enforcement operation centered on arrests. According to official FBI field
office announcements from [Seattle](https://www.fbi.gov/contact-us/field-offices/seattle)
and
[Philadelphia](https://www.fbi.gov/contact-us/field-offices/philadelphia/news/fbi-philadelphia-joins-nationwide-launch-of-operation-winter-shield),
the initiative was designed to strengthen defenses across the country by promoting 10
actionable cyber defenses drawn from real investigations and real defensive gaps.

That framing matters. Winter SHIELD is not positioned as a theoretical best-practice list.
The FBI presents it as a roadmap based on what repeatedly made the difference in real
cases. The campaign focuses on ten high-impact controls, summarized below, with
[phishing](https://www.corbado.com/glossary/phishing)-resistant authentication as the first and most relevant for
identity and access teams.

There is also a small but important timing nuance. The FBI launched Winter SHIELD on
January 28, 2026 as a two-month campaign, while Microsoft described it as a
[nine-week initiative beginning February 2, 2026](https://www.microsoft.com/en-us/security/blog/2026/02/05/the-security-implementation-gap-why-microsoft-is-supporting-operation-winter-shield/).
The clearest way to interpret this is that Winter SHIELD was an early-2026 campaign, but
its guidance is not time-limited. The awareness push may fade, yet the recommendations
remain useful because the underlying attack patterns remain highly current.

## 3. Why does the FBI mention passkeys explicitly?

The most important point for [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) is
the FBI's wording around authentication. In Winter SHIELD materials, the bureau tells
organizations to adopt phish-resistant authentication, prioritize administrators,
executives and other high-impact accounts, and deploy [FIDO2](https://www.corbado.com/glossary/fido2)-compliant
security keys or device-bound passkeys for authentication, remote access and critical
systems.

Just as importantly, the FBI says organizations should eliminate SMS-based MFA and disable
legacy authentication methods. That is a much sharper signal than older public guidance
that simply encouraged "strong MFA" in the abstract. It reflects a real change in language
from "use another factor" to "use a factor that is structurally resistant to
[phishing](https://www.corbado.com/glossary/phishing)."

That is what makes Winter SHIELD relevant for security and IAM teams. This is not just
another [public-sector](https://www.corbado.com/passkeys-for-public-sector) mention of passkeys. It is a clear
signal that the conversation is moving away from generic MFA and toward phishing-resistant
authentication as an operational requirement. For organizations still relying on OTP apps,
push prompts or SMS codes, that distinction matters because it changes what the real
target state should be.

## 4. Why is traditional MFA no longer enough?

Traditional MFA is no longer sufficient because most common second factors, including SMS
codes, push notifications and OTP apps, can still be bypassed through phishing,
adversary-in-the-middle attacks or SIM swaps. Winter SHIELD lands at a moment when the
weakness of traditional MFA is already well understood by defenders. Passwords remain
highly attackable, and many second factors remain phishable. Reverse-proxy phishing,
adversary-in-the-middle kits, MFA fatigue, [SIM swap](https://www.corbado.com/glossary/sim-swap) fraud and legacy
protocols all help attackers bypass what many teams still call "strong MFA."

Microsoft's data captures both sides of this gap. According to Microsoft's
[May 2025 passkey update](https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/),
the company observed 7,000 password attacks per second in 2024, while its
[Digital Defense Report 2025](https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2025)
attributes 97% of identity attacks to password spray or brute force. On the other side,
Microsoft now sees roughly one million passkey registrations per day, passkey sign-ins
succeed about 98% of the time versus 32% for passwords, and passkey flows are eight times
faster than password plus MFA. The contrast is summarized below.

In other words, Winter SHIELD is not pushing an idealistic security model that teams
cannot deploy. It aligns with a method that is both more resistant and more usable.

## 5. Why does the FBI mention device-bound passkeys?

A [device-bound passkey](https://www.corbado.com/blog/device-bound-synced-passkeys) is a cryptographic credential
that stays on a single physical device and does not sync to the cloud. A
[synced passkey](https://www.corbado.com/blog/device-bound-synced-passkeys), by contrast, is stored in a cloud
keychain such as [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or
[Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager) and becomes available
across all devices tied to that account. Both are passkeys, but they fit different
assurance contexts.

The FBI does not just say "passkeys." It says device-bound passkeys. That wording is
important because Winter SHIELD discusses authentication in the context of high-impact
accounts, remote access and critical systems. In those environments, assurance and control
often matter more than maximum portability. For a deeper comparison of when device-bound
versus synced passkeys fit best, see our dedicated analysis of
[device-bound vs synced passkeys](https://www.corbado.com/blog/device-bound-synced-passkeys).

Device-bound passkeys fit that context well:

- They reduce credential portability across unmanaged devices.
- They align well with managed endpoint policies and MDM controls.
- They support faster offboarding and clearer device trust boundaries.
- They map naturally to privileged access and high-assurance workflows.

That does not mean synced passkeys are invalid or insecure. This is where nuance matters.
[NIST's](https://www.corbado.com/blog/nist-passkeys)
[supplement on syncable authenticators](https://csrc.nist.gov/pubs/sp/800/63/b/sup/final)
explicitly says that properly implemented syncable
[authenticators](https://www.corbado.com/glossary/authenticator), in practice synced passkeys, can be
phishing-resistant and can support [AAL2](https://www.corbado.com/blog/nist-passkeys).
[NIST's](https://www.corbado.com/blog/nist-passkeys) point is not that only device-bound models count. Its point
is that different [authenticator](https://www.corbado.com/glossary/authenticator) models fit different risk
profiles.

So the clean interpretation is this: the FBI's wording reflects a high-assurance
enterprise context, not a universal rule for every passkey deployment. For admin accounts
and critical systems, device-bound passkeys are a logical recommendation. For
[large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) consumer sign-in journeys,
synced passkeys often remain the right choice because recovery and multi-device use matter
more.

## 6. How does this fit with Microsoft, NIST and CISA?

Winter SHIELD does not stand alone. It fits a broader shift in U.S. security guidance
toward phishing-resistant authentication.

**Microsoft:** In its
[Winter SHIELD post](https://www.microsoft.com/en-us/security/blog/2026/02/05/the-security-implementation-gap-why-microsoft-is-supporting-operation-winter-shield/),
Microsoft argues that the central problem is not lack of awareness but an implementation
gap: organizations know what matters, but too often fail to operationalize it
consistently.

**NIST:** [NIST](https://www.corbado.com/blog/nist-passkeys) has already established the technical foundation for
this shift. Its 2024
[guidance on syncable authenticators](https://csrc.nist.gov/pubs/sp/800/63/b/sup/final)
says that passkeys can provide phishing-resistant authentication and can be used at
[AAL2](https://www.corbado.com/blog/nist-passkeys) when implemented correctly. That is crucial for CIAM and
public-facing use cases where usability and recovery are core design constraints.

**CISA:** In its
[Implementing Phishing-Resistant MFA](https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf)
fact sheet, [CISA](https://www.corbado.com/blog/cisa-passkeys-authentication) calls phishing-resistant MFA the
gold standard, says FIDO/WebAuthn is the only widely available phishing-resistant
authentication, and states that SMS or voice MFA should only be used as a last resort.

**Federal policy direction:** The broader federal direction has been clear since the
[OMB Zero Trust memo M-22-09](https://zerotrust.cyber.gov/federal-zero-trust-strategy/),
which requires phishing-resistant MFA for federal agency staff, contractors and partners,
and mandates that public-facing federal systems supporting MFA offer phishing-resistant
authentication as an option. Winter SHIELD therefore looks less like a standalone surprise
and more like a practical law-enforcement confirmation of a trend already visible across
U.S. cybersecurity guidance.

## 7. What does this mean for workforce IAM and privileged access?

For workforce IAM teams, Winter SHIELD suggests a very practical rollout order: start with
the accounts attackers want most.

That means prioritizing:

- administrators and highly privileged operators
- executives and finance-adjacent users
- remote access users
- contractors and third parties with sensitive network access
- accounts tied to critical systems and infrastructure

For these cohorts, the most defensible interpretation of Winter SHIELD is:

- Require phishing-resistant authentication first for the highest-risk identities.
- Remove SMS-based MFA and legacy protocols from those paths.
- Prefer device-bound passkeys or [FIDO2](https://www.corbado.com/glossary/fido2) security keys where assurance
  and device governance are critical.
- Treat recovery and de-provisioning as part of the rollout, not as an afterthought.

Many organizations still talk about "moving to MFA" as if the main job were checking a
compliance box. Winter SHIELD shows that for privileged access, the real target state is
phishing-resistant authentication with fewer legacy escape hatches.

## 8. What does this mean for CIAM and customer rollouts?

The CIAM takeaway is different. Winter SHIELD is highly relevant, but its language should
not be overextended. The FBI is speaking in the context of critical systems, remote access
and high-impact accounts. That is not the same thing as a mass-market consumer login flow.

For CIAM teams, the most important lesson is not "force device-bound everywhere." It is
instead:

- stop treating generic MFA as the final destination
- design toward phishing-resistant login as the long-term baseline
- model assurance levels separately from adoption requirements
- use synced passkeys where recovery, portability and cross-device usage are decisive

This distinction matters because consumer and citizen-facing deployments have to solve for
adoption at scale. If recovery is too brittle or device portability is too limited, users
fall back to weaker factors, often passwords, OTPs or SMS. [NIST's](https://www.corbado.com/blog/nist-passkeys)
guidance is helpful here because it explicitly creates room for
[syncable passkeys](https://www.corbado.com/blog/device-bound-synced-passkeys) in lower-friction, public-facing
environments while still recognizing that higher-assurance contexts may justify stricter
controls.

## 9. What should companies do now?

A reasonable Winter SHIELD response plan looks like this:

- Inventory your phishable auth paths: especially SMS MFA, push-only approvals and legacy
  authentication protocols.
- Rank identities by impact: admins, executives, remote access and critical operators
  should move first.
- Choose the right passkey model by use case: device-bound for high-assurance internal
  contexts, synced where scale and recovery matter more.
- Remove insecure fallbacks: a passkey rollout does not solve much if legacy auth and SMS
  remain easy bypass paths.
- Instrument rollout and login performance: success rates, fallback usage and recovery
  friction determine whether the migration actually works.

This is the strategic value of Winter SHIELD. It reframes passkeys from a new
authentication feature into part of an evidence-based resilience program.

## 10. Conclusion

Operation Winter SHIELD matters because it shows how far the market has moved. The FBI is
no longer communicating about authentication as a generic "more MFA is better" topic. It
is communicating in the language of phishing-resistant authentication, explicitly naming
FIDO2 security keys and device-bound passkeys, while telling organizations to get rid of
SMS-based MFA and legacy authentication.

That makes Winter SHIELD especially relevant for teams evaluating passkeys today. It is
not a vendor message, and it is not just a product announcement. It is an official,
practice-oriented statement that ties passkeys to the controls that matter most in real
incidents.

In this article, we covered the following core questions:

- **What is Operation Winter SHIELD?** It is the FBI's early-2026 cyber resilience
  campaign, built around ten prioritized defenses informed by real investigations and
  attacker behavior.
- **Why does the FBI mention passkeys explicitly?** Because the bureau is signaling that
  phishing-resistant authentication is now a practical defensive baseline, not an optional
  innovation topic.
- **Why is traditional MFA no longer enough?** Because passwords, SMS, OTP phishing and
  legacy protocols still give attackers a reliable path into accounts and systems.
- **Why does the FBI say device-bound passkeys?** Because Winter SHIELD is aimed at
  high-assurance scenarios like privileged access, remote access and critical systems.
- **What does this mean for enterprises?** Prioritize high-impact accounts, remove
  phishable fallbacks and map synced versus device-bound passkeys to the right use cases
  instead of treating them as interchangeable.

## Frequently Asked Questions

### Does the FBI really recommend passkeys?

Yes, the FBI officially recommends passkeys. In its 2026 Operation Winter SHIELD campaign,
the bureau explicitly names FIDO2-compliant security keys and device-bound passkeys as
phishing-resistant authentication for authentication, remote access and critical systems.
This is the clearest public-sector endorsement of passkeys by U.S. law enforcement to
date.

### Why is Operation Winter SHIELD more important than a generic MFA recommendation?

Operation Winter SHIELD is more important than a generic MFA recommendation because the
FBI does not just say to enable MFA. The bureau explicitly calls for phishing-resistant
authentication, tells organizations to eliminate SMS-based MFA and disable legacy
authentication, and frames these recommendations as lessons drawn from real investigations
rather than theoretical best practices.

### Why does the FBI mention device-bound passkeys instead of just passkeys in general?

The FBI mentions device-bound passkeys specifically because Winter SHIELD addresses
high-impact accounts, remote access and critical systems. Device-bound passkeys fit these
high-assurance enterprise scenarios better than synced passkeys because they offer
stronger device control, limited credential portability and tighter administrative
governance. For consumer CIAM rollouts, synced passkeys remain a valid choice.

### Does this mean synced passkeys are no longer valid?

No, synced passkeys remain valid. NIST has clarified that properly implemented syncable
authenticators, commonly called synced passkeys, can still be phishing-resistant and can
support AAL2. The distinction is not that one model is valid and the other is not, but
that different assurance levels fit different use cases. Synced passkeys are often the
right choice for consumer-facing deployments where recovery and multi-device use drive
adoption.

### Is SMS-based MFA still considered secure in 2026?

No, SMS-based MFA is no longer considered secure. The FBI's Winter SHIELD campaign
explicitly tells organizations to eliminate SMS-based MFA, and CISA states that SMS or
voice MFA should only be used as a last resort. SMS codes are vulnerable to SIM swap
attacks, phishing and interception. Organizations should move to phishing-resistant
alternatives like FIDO2 security keys or passkeys.

### What is the difference between FIDO2 security keys and passkeys?

FIDO2 security keys are physical hardware devices, such as YubiKeys, that store
cryptographic credentials and connect via USB, NFC or Bluetooth. Passkeys are
software-based cryptographic credentials stored on a phone, laptop or cloud account. Both
use the same FIDO2/WebAuthn standard and are phishing-resistant. Security keys are often
preferred for the highest-assurance workforce scenarios, while passkeys are better suited
for mainstream consumer and employee adoption.