Are passkeys considered a form of two-factor authentication?

Are passkeys considered a form of Two-Factor Authentication?#

Passkeys provide strong authentication but do not fit the traditional definition of two-factor authentication (2FA). Instead, they belong to a more advanced category of authentication that eliminates the weaknesses of traditional password-based 2FA. This guide explains the differences between passkeys and 2FA, why passkeys are more secure and when you might still need traditional MFA.

1. What is MFA/2FA?#

When you sign in to an online account, you prove to the service that you are who you claim to be - this process is called authentication. Traditionally, this has been done with a username and password. As we know today, that's not a secure approach: even complex passwords can be cracked within seconds and more than 50% of users reuse their passwords.

That's why many online services have added an additional layer called two-factor authentication (2FA) or multi-factor authentication (MFA). With 2FA enabled, you need more than just a username and password - you need a second factor to prove your identity.

1.1 Types of Authentication Factors#

A factor in authentication is a way of confirming legitimate access. The three most common kinds are:

• Knowledge-based (something you know): a password, PIN or answers to security questions.
• Possession-based (something you have): a hardware token, smartphone or security key. This includes email magic links, SMS OTPs, time-based one-time passcodes (TOTPs) and push notifications.
• Inherence-based (something you are) - biometric authentication methods like fingerprints, iris scans or Face ID.

Passkeys combine two of these factors: a passkey is tied to a unique device (possession) and requires biometric verification (inherence) making them inherently multi-factor.

2. How traditional 2FA works (and why it's not optimal)#

Traditional 2FA requires authentication from two distinct categories. For example, logging into a bank account with a password (knowledge) and confirming via an SMS OTP (possession) qualifies as 2FA.

However, traditional 2FA has significant drawbacks:

1. Additional friction: the user must leave the app and open another application to confirm their identity (e.g. check SMS, open authenticator app).
2. Passwords remain a weak link: most 2FA flows still rely on a password as the first factor, which can be phished or stolen.
3. Possession factors can be compromised: SMS OTPs are vulnerable to SIM swapping, authenticator apps can be lost with device changes and recovery is burdensome. As a consequence, the activation rate of MFA among users is only 28%.

3. How Passkeys differ from Traditional 2FA#

Passkeys do not rely on passwords and use public-key cryptography. Here's a direct comparison:

3.1 Are Passkeys 2FA or MFA?#

Passkeys fulfill the security goals of 2FA without requiring two separate steps. Instead of requiring a password + OTP, they bind authentication to the user's device and biometrics such as fingerprint or Face ID.

Since passkeys rely on device possession (hardware-bound keys) and biometrics (inherence), they satisfy multi-factor authentication requirements within a single interaction.

3.2 Why Passkeys are more secure than regular 2FA#

Passkeys solve the core problems of traditional 2FA:

• No shared secrets: public-key cryptography means there is nothing to intercept.
• No extra friction: users don't need to open a separate app or type a code. Most users are already familiar with Face ID, Touch ID or Windows Hello.
• Synced across devices: passkeys sync within ecosystems like iCloud Keychain or Google Password Manager, eliminating the painful 2FA recovery process.

4. Can Passkeys be used together with other Authentication Factors?#

Yes, passkeys can be used alongside other authentication factors to provide layered security. Depending on security requirements, organizations can implement passkeys as a standalone method or as part of a more complex multi-factor flow.

4.1 Passkeys as Part of an MFA Flow#

While passkeys alone provide strong phishing-resistant authentication, they can be combined with other factors for added security in high-risk environments:

• Passkeys + Hardware Security Keys: users authenticate with passkeys but may need a physical security key (e.g. YubiKey) for sensitive actions.
• Passkeys + Context-Based Authentication: organizations can introduce risk-based authentication where passkeys alone suffice under normal conditions, but additional verification is required for unusual login attempts.

4.2 When are additional Factors recommended?#

• Regulatory compliance: industries like finance in Europe mandate MFA that fulfils additional criteria for compliance with PSD2 and SCA.
• High-security use cases: admin accounts, financial transactions and enterprise logins may benefit from passkeys + a second factor.
• User risk profiling: systems can assess risk levels and dynamically require additional authentication when necessary.

5. When to use Passkeys as a Second Factor (vs. going fully Passwordless)#

While passkeys enable fully passwordless authentication, there are scenarios where using passkeys as a second factor provides strategic advantages over immediately going fully passwordless:

• Conservative organizations: enterprises in highly regulated sectors (banking, healthcare, government) can enhance security without dramatically altering existing workflows.
• Gradual user adoption: deploying passkeys as a second factor serves as a gentle introduction, allowing users to become familiar with the experience alongside their traditional login before transitioning to fully passwordless.
• High-security contexts: environments that demand exceptionally robust security can maintain multiple authentication layers, preventing dependency on a single method and reducing single-point-of-failure risks.
• Infrastructure constraints: organizations whose technical infrastructure doesn't fully support passwordless authentication yet can deploy passkeys as a second factor while building broader compatibility.

6. Are Passkeys PSD2-Compliant?#

Yes. Under Strong Customer Authentication (SCA) in PSD2, authentication must include:

• Something the user has (a registered device with a private key).
• Something the user is (biometric authentication).

Passkeys fulfill these requirements in a seamless, phishing-resistant way, making them an ideal alternative to traditional 2FA for banks and fintech companies.

7. Conclusion: Passkeys are a more secure Alternative to 2FA#

Passkeys go beyond traditional two-factor authentication by:

• Eliminating passwords and shared secrets.
• Providing phishing-resistant authentication via public-key cryptography.
• Meeting PSD2 SCA and other regulatory requirements in a more user-friendly way.
• Syncing across devices to remove the 2FA recovery burden.

While passkeys are not 2FA in the traditional sense, they achieve the same (or better) security benefits in a way that is more secure and more convenient. For organizations not yet ready to go fully passwordless, passkeys can also serve as a powerful second factor during a transition period.

Read the full article#