Are Passkeys 2FA?
While the increasing adoption of passkeys is exciting, many developers are left wondering about the technical and security nuances. One of the questions that comes up frequently is, are passkeys considered two-factor authentication (2FA) or multi-factor authentication (MFA)?
The short answer is, yes passkeys are 2FA. Let’s find out why.
How are Passkeys 2FA?
2FA is defined as using more than one factor during authentication. It is considered by regulations such as PSD2 in Europe and NYDFS in the US as best practice for strong authentication.
Passkeys are 2FA because they require two factors to authenticate a user:
- Something you are OR something you know: In order to use a passkey for authentication, users must first provide their local device biometrics (FaceID, TouchID, Windows Hello) or their local device PIN. This proves the “inherence” factor.
- Something you own: Once the user passes their inherence factor, the passkey on the user’s device authenticates the user with asymmetric cryptography and proves that they own the passkey. This fulfills the “possession” factor.
The unique characteristic of passkey authentication that causes the confusion in the first place is how seamless it is for the user—passkeys enable 2FA with a single user action. The only action the user has to take is to provide their biometric, which, on first glance, appears to only be a single factor. In the background, however, passkeys are at work authenticating the user in a phish-resistant way.
Embracing the Future of Online Security
Here’s why all of this matters; the digital landscape is evolving faster than anyone could have ever imagined, and with that, security is a high priority for most websites. Passkeys are essential when it comes to scenarios like the Reddit Data breach in June of this year, where a gang planted ransomware and demanded $4.5 million in return for confidential data. Major breaches are becoming all too familiar and could be mitigated with the tightened security and user-friendliness provided by passkeys.
2FA but Better
If you’re looking for a solution that makes your digital life easier, passkeys provide the same security levels as traditional 2FA without the hassle of a second device. To answer the original question, passkeys do provide 2FA, but they do it while improving the user experience.