# Why passkeys are phishing-resistant multifactor authentication When a passkey is used, authentication is tied to the legitimate website and relies on cryptographic proof, learn more about passkey security today! --- Passkeys are a phishing-resistant multifactor authentication (MFA) method that can be used as a standalone authentication factor or alongside passwords in hybrid deployments. When a passkey is used, authentication is tied to the legitimate website and relies on cryptographic proof rather than one-time verification codes that must be manually entered or approved. This FAQ explains why and how passkeys are more secure than SMS codes, authenticator apps, and push notifications. ### **Can passkeys work without passwords?** Yes. Passkeys can function as a complete authentication solution in passwordless deployments because they're inherently multifactor. They require device possession plus biometric or PIN verification. Organizations can also use passkeys as an additional authentication factor alongside passwords, giving teams flexibility to choose the approach that fits their security policies and user workflows. ### **What makes passkeys a “phishing resistant” multifactor authentication?** Passkeys are cryptographically secure and use advanced encryption and mathematical functions to be unguessable and nearly impossible to phish, making them a form of phishing-resistant multifactor authentication. Three properties define this class of MFA. **Origin binding**The authenticator verifies the website or app requesting the login and only responds when the domain is legitimate (see [How Do Passkeys Work](https://bitwarden.com/en-gb/blog/how-do-passkeys-work/)). This prevents look-alike sites from triggering a valid sign-in. **Challenge-response**Each login uses a unique, short-lived challenge generated by the service. The authenticator signs this challenge with a private key. There is no reusable information for an attacker to capture and forward to the real site (relay attack) or save to attempt later (replay attack).   **No shared secrets**The private key remains on the user’s device and is never transmitted during authentication. The service/website stores only a public key, which cannot be used to generate a valid login or impersonate the user. For more background on how authentication is shifting in the enterprise, see[ passwordless authentication adoption](https://bitwarden.com/en-gb/blog/what-passwordless-adoption-means-to-enterprises/). ### **Why other methods are less secure** Passkeys meet all three phishing-resistant MFA requirements. They tie authentication to the real domain, respond only to server-generated challenges, and never expose a shared secret. By comparison, common multifactor authentication methods can be intercepted or relayed: - **SMS codes** can be stolen through malware, SIM swaps, or real-time relay kits. - **Authenticator app TOTPs** are temporary, but still reusable for a short period and can be harvested via spoofed websites. - **Push approvals** are susceptible to repeated prompt attacks (also known as 2fa bombing), where users approve a request out of confusion or fatigue. Passkeys meet the phishing-resistant MFA criteria from NIST, Microsoft, and other major providers. #### **Phishing-resistant MFA examples** **Real-time multifactor authentication relay kits**Relay kits create a proxy between users and fake login pages, capturing passwords and one-time codes and forwarding them to the real site. Passkeys prevent this attack because no reusable code exists and the signed challenge cannot be reused. **Look-alike domain traps**Attackers register domains that closely resemble legitimate websites and direct victims to enter credentials. One recent example was “rnicrosoft.com vs. microsoft.com,” note the r and n look similar to an m. Passkeys do not respond to mismatched origins, so the fraudulent domain cannot produce a valid authentication prompt. **Multifactor authentication fatigue and push bombing**Push-based MFA depends on human approval. Attackers overwhelm users with repeated prompts until they accept one by mistake. Passkeys remove this vector entirely because the authentication flow does not include “approve” or “deny” actions. For insight into strengthening authentication visibility across your organization, review the[ Bitwarden Access Intelligence overview](https://bitwarden.com/en-gb/blog/introducing-bitwarden-access-intelligence-proactive-security-protection/). ## If exploring cross-device sign-in options, see How to log in with another device. If exploring cross-device sign-in options, see[ How to log in with another device](https://bitwarden.com/en-gb/blog/how-to-log-in-with-another-device/). ## Get powerful, trusted password security now. Pick your plan. ## Personal ### Just getting started? *Get basic password management today. Always free.* [Create Free Account](https://bitwarden.com/go/start-free/) --- ### Premium **$1.65** *per month* *Billed annually at $19.80* Enjoy premium features - Integrated authenticator - File attachments - Emergency access - Phishing blocker - Security reports and more Share vault items with one other user [Create Premium Account](https://bitwarden.com/go/start-premium/) --- ### Families **$3.99** *per month* *Up to 6 users, billed annually at $47.88* Secure your family logins - 6 premium accounts - Unlimited sharing - Unlimited collections - Organisation storage Share vault items between six people [Start Free Families Trial](https://bitwarden.com/go/start-families-trial/) --- Pricing shown in USD and based on an annual subscription. Taxes not included. ## Business ### Teams *For teams and growing companies that need to move quickly.* **$4** *per month / per user, billed annually* **No compromise** All Premium features, plus advanced capabilities such as: - Share credentials securely - Audit activity with event logs - Synchronise your existing directory - Automate provisioning with SCIM [Start Free Trial](https://bitwarden.com/go/start-teams-trial/) --- ### Enterprise *For businesses that need advanced protection and control.* **$6** *per month / per user, billed annually* **Maximum protection** All Premium and Teams features, plus enterprise-level capabilities such as: - Granular access control - Passwordless SSO integration - Easy account recovery - Flexibility to self-host - Access Intelligence risk remediation [new] - Free Families plan for all users [Start Free Trial](https://bitwarden.com/go/start-enterprise-trial/) --- ### Talk to Sales *For large organisations, talk to an expert about a tailored plan and learn how Bitwarden can:* *per month* - Reduce cyber security risk - Boost productivity - Integrate seamlessly Bitwarden scales with businesses of any size to bring password security to your organisation [Talk to Sales](https://bitwarden.com/talk-to-sales) --- Pricing shown in USD and based on an annual subscription. Taxes not included.