Can passkeys be used together with other auth factors?

Vincent Delitz

Vincent

Created: February 3, 2025

Updated: February 3, 2025

Do you want to learn more?

Read full blog post

Can Passkeys Be Used Together With Other Authentication Factors?#

Yes, passkeys can be used alongside other authentication factors to provide multi-factor authentication (MFA) or layered security approaches. Depending on security requirements, organizations can implement passkeys as a standalone method or as part of a multi-factor authentication flow.

1. Passkeys as Part of Multi-Factor Authentication (MFA)#

While passkeys alone provide strong phishing-resistant authentication, they can also be combined with other factors for added security, especially in high-risk environments. Examples include:

  • Passkeys + Hardware Security Keys: Users authenticate with passkeys but may be required to verify using a physical security key (e.g., YubiKey) for sensitive actions.
  • Passkeys + Device PIN or Biometrics: Some systems may enforce an additional PIN or biometric verification step before using a passkey.
  • Passkeys + Context-Based Authentication: Organizations can introduce risk-based authentication, where passkeys alone suffice under normal conditions, but additional verification (e.g., email OTP or push notification) is required for unusual login attempts.

2. Passkeys and Traditional Two-Factor Authentication (2FA)#

  • Unlike password-based 2FA, passkeys eliminate the need for a password entirely.
  • However, organizations can still require an additional MFA factor for high-security use cases, such as logging in from a new device or accessing sensitive data.
Substack Icon

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe
  • Regulatory Compliance: Some industries (e.g., finance, healthcare) mandate multi-factor authentication for compliance with PSD2, HIPAA, or SOC2.
  • High-Security Use Cases: Admin accounts, financial transactions, and enterprise logins may benefit from passkeys + a second factor.
  • User Risk Profiling: Systems can assess risk levels and dynamically require additional authentication when necessary.

Final Verdict#

Passkeys are inherently secure, phishing-resistant, and can be used alone or combined with other authentication factors. While standalone passkeys offer strong security, organizations can enhance security further by pairing them with hardware tokens, biometrics, or adaptive risk-based authentication.

Do you want to learn more?

Read full blog post

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free