Why passkeys are more secure than regular 2FA methods
MFA is commonly used to make authentication more secure by adding additional factors to the traditional username and password. However, MFA flows are inconvenient for users and not as secure as one might expect. Fortunately, the new login standard – passkeys – provides a superior solution.
What is MFA/2FA?
When you sign into an online account, you're proving to the service that you are who you pretend to be, which is also referred to as ‘authentication’. Traditionally, that has been done with a username and a password. As already explained in previous articles, that's not a very good way to do authentication. The first piece of information, the username, is typically easy to discover, as it’s often just the user’s email address. The second and supposedly secret piece of information, the password, is more challenging to obtain. Yet, with modern technology, even complex passwords can easily be cracked within seconds. Compounding the issue is the fact that users often select weak passwords, which they use for several accounts repeatedly, making it possible for hackers to breach multiple systems with one set of credentials.
“123456 is still the most used password on the internet and more than 50% of the users reuse their password”
That's why many online services - banks, social media, e-commerce - have added an additional layer to make user accounts more secure. You may hear it called "Two-factor Authentication (2FA)" or "Multifactor Authentication (MFA)". If 2FA or MFA is enabled, you need more than just the username and password. You need a second factor to prove who you are.
Types of MFA
A factor in authentication is a way of confirming the legitimate access when you try to sign in. The three most common kinds of factors are:
- Knowledge-based – something you know.
- Possession-based – something you have.
- Inherence-based – something you are.
Knowledge-based factors are something that you know – a piece of information such as a password, a PIN or answers to personal security questions.
Possession-based factors include hardware and software security tokens (e.g., a digital certificate or a badge with an embedded chip) as well as a range of mobile-friendly solutions:
- Email magic links, which let users instantly log in via a link sent to a pre-registered email address.
- SMS one-time passcodes (OTPs), which ask users to enter a unique sequence sent via SMS.
- Time-based one-time passcodes (TOTPs), which ask users to confirm control of their device within a certain time frame via a passcode generated by a smartphone app like Google Authenticator.
- Push authentication, which sends notifications to an app on users’ devices, asking them to approve or reject a login attempt.
Inherence-based factors rely on biological traits unique to the user and can include biometric authentication methods like fingerprinting, iris scans, and face and voice recognition technology.
Passkeys are one example of a 2FA solution because a passkey is associated with a unique device (first factor: possession-based) and additionally requires biometric authentication (second factor: inherence-based).
“2FA is just a subset of MFA, which is an umbrella term for any authentication that uses more than one factor to authenticate a user’s identity”
How MFA works
Let's say you're going to log into your Paypal or Microsoft account, and you enter your username and password. If that would be all you need to do, then anybody who knows your username and password can sign into your account from anywhere in the world!
But if you have 2FA enabled, things get more interesting. To log in, you first enter your username and password as usual, then you get prompted to enter your second factor to verify your identity. Depending on the website or app, you have different options to use as your second factor. For instance, if you log in to the Paypal website, you can use SMS OTPs or the Paypal native app as a second factor to confirm your identity.
Why MFA is still not optimal
Even though MFA makes it considerably more difficult for hackers to breach a system than single-factor authentication, it is still far from ideal.
First, MFA creates additional friction for the user during the login ceremony because the website or app must be left and another application must be opened to confirm the user’s identity.
Second, most websites still rely on passwords as one factor, which can be easily compromised or stolen.
Lastly, possession-based factors can often be stolen or are lost, e.g. physical devices such as an access card. The recovery of such possession factors, for instance, authenticator apps or security tokens is usually a burdensome process. If you lose or break your smartphone with an authenticator app installed, all 2FA connections must be reset and newly configured. This often requires interacting with service hotlines, which can cost you a substantial amount of time depending on the number of linked services. As a consequence of the high friction and burdensome recovery processes, the activation rate of MFA among users is only 28%.
Passkeys as the solution
Fortunately, passkeys provide a solution to the previously described problems with MFA. First, as already explained, passkeys are a 2FA method and do not require to open another app or pull out an additional device. Also, passkeys are relying on public-key cryptography, where the private key never leaves the respective device. Taken together, passkeys are the most secure authentication method today.
“Passkeys don’t create additional friction because they don’t require an extra step like opening an email, SMS or another app. At the same time, they are a 2FA method as they rely on two factors: the device and the user’s biometric features”
Furthermore, passkeys are convenient as biometric login is the fastest login method and most users are already familiar with the underlying technologies such as Face ID, Touch ID or Windows Hello. This will boost adoption of 2FA among users.
Also, usage across different devices is much more convenient than with traditional 2FA. First, passkeys will be synced within the large ecosystems, for instance in the Apple iCloud Keychain. So, users can directly login from any device associated with an iCloud account without additional device registration. Other tech companies like Google and Microsoft already announced to implement cross-device synchronization in a similar way. Second, 2FA recovery is a pain of the past because within an ecosystem like Apple, no recovery is required due to passkey synchronization. For cross-platform usage, recovery is also no problem because new passkeys can be generated with a few clicks by the users themselves. Finally, passkeys have the potential to eliminate passwords completely. Users are annoyed of having to remember dozens of passwords and passkeys provide a solution that is superior in terms of both convenience and security.
Now it’s the time to get started. Apple promotes passkeys and releases them within the upcoming iOS 16 update on September 19. Digital first movers like PayPal, eBay and others already implemented passkeys. When will you?
Explore Corbado’s passwordless, MFA solutions with passkeys! Sign up for a free account to get started.
Enjoyed this read?
Stay up to date with the latest news, strategies, and insights about passwordless authentication and passkeys sent straight to your inbox!