Death to one-time text codes: Passkeys are the new hotness in MFA
Summary
One-time passcodes delivered by SMS or email are increasingly inadequate as an MFA defence: they’re phishable and can be intercepted. Organisations are moving towards passkeys — FIDO2/WebAuthn-based, certificate-style, device-bound credentials — and hardware tokens as phishing-resistant alternatives. Major players including Amazon, Google, Microsoft, Apple, PayPal and WhatsApp now support passkeys, and adoption metrics show strong user and business benefits such as faster sign-ins, higher success rates and fewer help-desk calls. However, usability and multi-device sync introduce some social-engineering risks and cross-OS transfer friction that slow universal adoption.
Key Points
- SMS and email OTPs are vulnerable to phishing and interception; identity attacks remain a top vector.
- Passkeys use cryptographic key pairs (private key on device, public key on server) and are classed as phishing-resistant MFA.
- Device-bound passkeys and X.509 hardware tokens currently offer the strongest protection against credential theft.
- Passkey adoption is accelerating: industry estimates cite over 2 billion passkeys in use and strong interest from organisations for 2026 investment.
- Businesses report a 30% higher sign-in success rate and a 73% reduction in sign-in time (average 8.5s with passkeys vs 31.2s for other methods).
- Early adopters see up to 81% fewer sign-in help-desk incidents and expect lower fraud and support costs.
- Multi-device passkey syncing improves convenience but can introduce social-engineering risks if attackers coerce help desks or users.
- Usability and cross-OS migration remain practical hurdles for universal passkey roll-out, especially for consumer-facing services prioritising ease-of-use.
Why should I read this?
Short version: if you care about keeping accounts safe without annoying users, this matters. Passkeys actually cut fraud, speed up logins and slash support calls — so whether you’re protecting an organisation or selling online services, switching from SMS OTPs to passkeys is one of the clearest wins in identity security right now. Read the detail if you want the quick wins and the caveats about syncing and social-engineering traps.
Context and relevance
This piece summarises why the industry is shifting away from shared-secret and OTP models towards FIDO-backed passkeys. It ties into broader trends: rising phishing efficacy (including AI-augmented attacks), stronger regulatory and vendor pressure to harden identity controls, and commerce-driven demand for faster, less frictioned sign-ins. For IT leaders, CISOs and product teams, the article helps weigh security gains against usability trade-offs and highlights where to focus pilot deployments (employee access first, customer journeys once transfer and sync UX are addressed).