Passkeys and Phishing-Resistant MFA Enhance Security for U.S. Organizations

Multifactor authentication (MFA) is now a standard security practice across various digital services, including banking and health insurance, designed to provide an additional layer of identity verification beyond passwords. However, not all MFA methods offer equal protection, with one-time passwords (OTPs) sent via SMS or email being vulnerable to phishing attacks. Cybercriminals increasingly exploit legitimate credentials through phishing, making robust MFA methods essential for preventing unauthorized access, as highlighted in Microsoft’s latest Digital Defense Report where identity attacks remain the primary threat vector. MFA techniques generally rely on something you know (passwords or codes), something you have (tokens or devices), or something you are (biometrics). Traditional OTPs and passcodes are susceptible to interception or social engineering, prompting a shift towards more secure, phishing-resistant MFA technologies. Passkeys, employing cryptographic key pairs stored locally on a user’s device rather than shared secrets, represent the gold standard in MFA, significantly reducing the risk of credential theft. Leading technology firms including Amazon, Google, Microsoft, Apple, PayPal, and WhatsApp have adopted passkeys, which provide enhanced security by requiring physical possession of a device for authentication. Hardware security keys like Yubikey devices also fall under phishing-resistant methods, offering strong protection by keeping private keys confined to the hardware itself. While passkeys are highly secure, multi-device passkeys that synchronize credentials across devices introduce potential social engineering risks if attackers gain device access via impersonation tactics targeting IT support. Despite this, passkeys offer notable improvements over SMS or email OTPs, which continue to be widely used for their implementation simplicity, especially in consumer-facing applications. The FIDO Alliance has been instrumental in standardizing passwordless authentication through FIDO2 and WebAuthn protocols, promoting interoperability and improving user experience. Since debuting in 2022 with Apple’s support, over two billion passkeys are in use globally, with adoption expected to grow significantly in coming years. Surveys of IT professionals show strong interest in passkeys, with predictions of increased investment through 2026 and high satisfaction rates among early adopters. Enterprises deploying passkeys report operational benefits, including a 30% improvement in sign-in success rates and a 73% reduction in login times, decreasing from over 30 seconds for legacy methods to around 8.5 seconds. Business advantages also extend to reduced help-desk support calls related to sign-in issues — up to an 81% decrease — cutting costs tied to OTP delivery, resets, and fraud prevention. Eliminating remote account takeover attacks helps companies reduce fraud-related losses, with passkeys contributing to stronger security postures across industries. Challenges hindering widespread adoption include interoperability issues between operating systems and the trade-offs between security and user convenience. Security remains the priority in internal organizational contexts, whereas customer-facing applications often balance user experience with security standards. SMS and email-based MFA remain prevalent due to ease of use and implementation but provide lower protection than phishing-resistant options. Ultimately, organizations must weigh the risk profile of the assets requiring protection against operational demands and customer experience when selecting authentication methods. Advances in cryptographic, device-based authentication continue to shift the landscape toward more secure and user-friendly identity solutions, with passkeys positioned as a critical tool in reducing identity fraud and cyber threats in the U.S. market.