--- url: 'https://www.corbado.com/faq/are-passkeys-two-factor-authentication' title: 'Are passkeys considered a form of two-factor authentication?' description: 'Passkeys offer strong authentication but differ from traditional two-factor authentication (2FA). They are phishing-resistant and PSD2 compliant.' lang: 'en' keywords: 'passkeys 2FA, passkeys MFA,' --- # Are passkeys considered a form of two-factor authentication? ## Are passkeys considered a form of Two-Factor Authentication? Passkeys provide **strong authentication** but do not fit the traditional definition of **two-factor authentication (2FA)**. Instead, they belong to a more **advanced category of authentication** that eliminates the weaknesses of traditional **password-based 2FA**. This guide explains the differences between passkeys and [2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security), why passkeys are more secure and when you might still need traditional MFA. ## 1. What is MFA/2FA? When you sign in to an online account, you prove to the service that you are who you claim to be - this process is called **authentication**. Traditionally, this has been done with a username and password. As we know today, that's not a secure approach: even complex passwords can be cracked within seconds and more than 50% of users reuse their passwords. That's why many online services have added an additional layer called **two-factor authentication (2FA)** or **multi-factor authentication (MFA)**. With [2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security) enabled, you need more than just a username and password - you need a second factor to prove your identity. > _2FA is a subset of MFA, which is an umbrella term for any authentication that uses more > than one factor to verify a user's identity._ ### 1.1 Types of Authentication Factors A factor in authentication is a way of confirming legitimate access. The three most common kinds are: - **Knowledge-based** (something you know): a password, PIN or answers to security questions. - **Possession-based** (something you have): a hardware token, smartphone or [security key](https://www.corbado.com/glossary/security-key). This includes email magic links, SMS OTPs, time-based one-time passcodes (TOTPs) and push notifications. - **Inherence-based** (something you are) - [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) methods like fingerprints, iris scans or [Face ID](https://www.corbado.com/faq/is-face-id-passkey). **Passkeys** combine two of these factors: a passkey is tied to a unique device (possession) and requires biometric verification (inherence) making them inherently multi-factor. ## 2. How traditional 2FA works (and why it's not optimal) Traditional [2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security) requires authentication from two distinct categories. For example, logging into a bank account with **a password (knowledge)** and confirming via **an SMS OTP (possession)** qualifies as 2FA. However, traditional 2FA has significant drawbacks: 1. **Additional friction**: the user must leave the app and open another application to confirm their identity (e.g. check SMS, open [authenticator](https://www.corbado.com/glossary/authenticator) app). 2. **Passwords remain a weak link**: most 2FA flows still rely on a password as the first factor, which can be phished or stolen. 3. **Possession factors can be compromised**: SMS OTPs are vulnerable to [SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk), [authenticator](https://www.corbado.com/glossary/authenticator) apps can be lost with device changes and recovery is burdensome. As a consequence, the activation rate of MFA among users is only 28%. ## 3. How Passkeys differ from Traditional 2FA Passkeys **do not rely on passwords** and use **public-key cryptography**. Here's a direct comparison: | Feature | Traditional 2FA | Passkeys | | ------------------------- | ----------------------------------------- | -------------------------------- | | **Phishing-resistant?** | ❌ No (passwords, SMS OTPs can be stolen) | ✅ Yes (origin-bound) | | **User experience** | Cumbersome, requires multiple steps | Seamless, one-tap authentication | | **Reliance on passwords** | ✅ Yes (as first factor) | ❌ No | | **Recovery complexity** | High (reset tokens, call hotlines) | Low (synced via iCloud, Google) | | **Meets PSD2 SCA?** | ✅ Yes, but prone to attacks | ✅ Yes, with better security | | **Activation rate** | \~28% opt-in | Higher (familiar biometrics) | ### 3.1 Are Passkeys 2FA or MFA? **Passkeys fulfill the security goals of 2FA without requiring two separate steps.** Instead of requiring a password + OTP, they **bind authentication to the user's device and biometrics** such as fingerprint or [Face ID](https://www.corbado.com/faq/is-face-id-passkey). Since passkeys rely on **device possession (hardware-bound keys) and biometrics (inherence), they satisfy multi-factor authentication requirements within a single interaction**. ### 3.2 Why Passkeys are more secure than regular 2FA Passkeys solve the core problems of traditional 2FA: - **No shared secrets**: public-key cryptography means there is nothing to intercept. - **No extra friction**: users don't need to open a separate app or type a code. Most users are already familiar with [Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID or [Windows Hello](https://www.corbado.com/glossary/windows-hello). - **Synced across devices**: passkeys sync within ecosystems like [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager), eliminating the painful 2FA recovery process. ![passkeys more secure than 2fa](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/passkeys_more_secure_than_2fa_38197fb351.png) ## 4. Can Passkeys be used together with other Authentication Factors? Yes, **passkeys can be used alongside other authentication factors** to provide layered security. Depending on security requirements, organizations can implement passkeys as a standalone method or as part of a more complex multi-factor flow. ### 4.1 Passkeys as Part of an MFA Flow While passkeys alone provide **strong phishing-resistant authentication**, they can be combined with other factors for added security in **high-risk environments**: - **Passkeys + Hardware Security Keys**: users authenticate with passkeys but may need a physical [security key](https://www.corbado.com/glossary/security-key) (e.g. [YubiKey](https://www.corbado.com/glossary/yubikey)) for sensitive actions. - **Passkeys + Context-Based Authentication**: organizations can introduce risk-based authentication where passkeys alone suffice under normal conditions, but additional verification is required for unusual login attempts. ### 4.2 When are additional Factors recommended? - **Regulatory compliance**: industries like [finance in Europe](https://www.corbado.com/passkeys-for-banking) [mandate MFA](https://www.corbado.com/blog/mandating-mfa) that fulfils additional criteria for compliance with [PSD2](https://www.corbado.com/blog/psd2-passkeys) and SCA. - **High-security use cases**: admin accounts, financial transactions and enterprise logins may benefit from passkeys + a second factor. - **User risk profiling**: systems can assess risk levels and dynamically require additional authentication when necessary. ## 5. When to use Passkeys as a Second Factor (vs. going fully Passwordless) While passkeys enable fully [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication), there are scenarios where **using passkeys as a second factor** provides strategic advantages over immediately going fully passwordless: - **Conservative organizations**: enterprises in highly regulated sectors ([banking](https://www.corbado.com/passkeys-for-banking), [healthcare](https://www.corbado.com/passkeys-for-healthcare), [government](https://www.corbado.com/passkeys-for-public-sector)) can enhance security without dramatically altering existing workflows. - **Gradual user adoption**: deploying passkeys as a second factor serves as a gentle introduction, allowing users to become familiar with the experience alongside their traditional login before transitioning to fully passwordless. - **High-security contexts**: environments that demand exceptionally robust security can maintain multiple authentication layers, preventing dependency on a single method and reducing single-point-of-failure risks. - **Infrastructure constraints**: organizations whose technical infrastructure doesn't fully support [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) yet can deploy passkeys as a second factor while building broader compatibility. ## 6. Are Passkeys PSD2-Compliant? Yes. Under **Strong Customer Authentication (SCA) in PSD2**, authentication must include: - **Something the user has** (a registered device with a private key). - **Something the user is** (biometric authentication). Passkeys fulfill these requirements **in a seamless, phishing-resistant way**, making them an **ideal alternative to traditional 2FA** for banks and fintech companies. ## 7. Conclusion: Passkeys are a more secure Alternative to 2FA Passkeys go beyond **traditional two-factor authentication** by: - Eliminating passwords and shared secrets. - Providing **phishing-resistant** authentication via public-key cryptography. - Meeting **PSD2 SCA** and other regulatory requirements in a more user-friendly way. - Syncing across devices to remove the 2FA recovery burden. While **passkeys are not 2FA in the traditional sense**, they achieve **the same (or better) security benefits** in a way that is **more secure and more convenient**. For organizations not yet ready to go fully passwordless, passkeys can also serve as a powerful second factor during a transition period. ## Read the full article