Are passkeys considered a form of two-factor authentication?
Passkeys offer strong authentication but differ from traditional two-factor authentication (2FA). They are phishing-resistant and PSD2 compliant.
Vincent
Created: January 31, 2025
Updated: March 10, 2026
Are passkeys considered a form of Two-Factor Authentication?#
Passkeys provide strong authentication but do not fit the traditional definition of two-factor authentication (2FA). Instead, they belong to a more advanced category of authentication methods that eliminate the weaknesses of traditional password-based 2FA solutions.
Understanding Two-Factor Authentication (2FA)#
Traditional 2FA requires authentication from two distinct categories:
- Something you know – A password or PIN.
- Something you have – A smartphone, hardware token, or SMS OTP.
For example, logging into a bank account with a password (knowledge) and confirming it via an SMS OTP (possession) qualifies as 2FA. However, this method is vulnerable to phishing, SIM swapping and social engineering in cybersecurity attacks.
How Do Passkeys Differ from Traditional 2FA?#
Passkeys do not rely on passwords and work as a single authentication factor using public-key cryptography. Here’s how they compare to traditional 2FA:
| Feature | Traditional 2FA | Passkeys |
|---|---|---|
| Phishing-resistant? | ❌ No (passwords, SMS OTPs can be stolen) | ✅ Yes (cryptographic authentication) |
| User experience | Cumbersome, requires multiple steps | Seamless, one-tap authentication |
| Reliance on passwords | ✅ Yes | ❌ No |
| Meets PSD2 SCA requirements? | ✅ Yes, but prone to attacks | ✅ Yes, with better security |
Are Passkeys 2FA or Multi-Factor Authentication (MFA)?#
- Passkeys meet the security goals of 2FA but without requiring two separate steps. Instead of requiring a password + OTP, they bind the authentication to the user’s device and biometrics, such as fingerprint or Face ID.
- Since passkeys rely on device possession (hardware-bound keys) and biometrics (inherence), they fulfill multi-factor authentication (MFA) requirements within a single step.
+70-page Enterprise Passkey Whitepaper:
Learn how leaders get +80% passkey adoption. Trusted by Rakuten, Klarna & Oracle
Are Passkeys PSD2-Compliant?#
Yes. Under Strong Customer Authentication (SCA) in PSD2, authentication must include:
- Something the user has (a registered device with a private key).
- Something the user is (biometric authentication).
Passkeys fulfill these requirements in a seamless, phishing-resistant way, making them an ideal alternative to traditional 2FA for banks and fintech companies.
Conclusion: A More Secure Alternative to 2FA#
Passkeys go beyond traditional two-factor authentication by:
- Eliminating passwords and shared secrets.
- Providing phishing-resistant authentication.
- Meeting PSD2 SCA security requirements in a more user-friendly way.
While passkeys are not 2FA in the traditional sense, they achieve the same (or better) security benefits in a way that is more secure and user-friendly.
Read the full article#
Share this article
Table of Contents
