Why passkeys are phishing-resistant multifactor authentication

Passkeys are a phishing-resistant multifactor authentication (MFA) method that can be used as a standalone authentication factor or alongside passwords in hybrid deployments. When a passkey is used, authentication is tied to the legitimate website and relies on cryptographic proof rather than one-time verification codes that must be manually entered or approved. This FAQ explains why and how passkeys are more secure than SMS codes, authenticator apps, and push notifications.

Yes. Passkeys can function as a complete authentication solution in passwordless deployments because they're inherently multifactor. They require device possession plus biometric or PIN verification. Organizations can also use passkeys as an additional authentication factor alongside passwords, giving teams flexibility to choose the approach that fits their security policies and user workflows.

Passkeys are cryptographically secure and use advanced encryption and mathematical functions to be unguessable and nearly impossible to phish, making them a form of phishing-resistant multifactor authentication. Three properties define this class of MFA.

Origin binding
The authenticator verifies the website or app requesting the login and only responds when the domain is legitimate (see How Do Passkeys Work). This prevents look-alike sites from triggering a valid sign-in.

Challenge-response
Each login uses a unique, short-lived challenge generated by the service. The authenticator signs this challenge with a private key. There is no reusable information for an attacker to capture and forward to the real site (relay attack) or save to attempt later (replay attack).  

No shared secrets
The private key remains on the user’s device and is never transmitted during authentication. The service/website stores only a public key, which cannot be used to generate a valid login or impersonate the user.

For more background on how authentication is shifting in the enterprise, see passwordless authentication adoption.

Passkeys meet all three phishing-resistant MFA requirements. They tie authentication to the real domain, respond only to server-generated challenges, and never expose a shared secret.

By comparison, common multifactor authentication methods can be intercepted or relayed:

• SMS codes can be stolen through malware, SIM swaps, or real-time relay kits.

• Authenticator app TOTPs are temporary, but still reusable for a short period and can be harvested via spoofed websites.

• Push approvals are susceptible to repeated prompt attacks (also known as 2fa bombing), where users approve a request out of confusion or fatigue.

Passkeys meet the phishing-resistant MFA criteria from NIST, Microsoft, and other major providers.

Phishing-resistant MFA examples

Real-time multifactor authentication relay kits
Relay kits create a proxy between users and fake login pages, capturing passwords and one-time codes and forwarding them to the real site. Passkeys prevent this attack because no reusable code exists and the signed challenge cannot be reused.

Look-alike domain traps
Attackers register domains that closely resemble legitimate websites and direct victims to enter credentials. One recent example was “rnicrosoft.com vs. microsoft.com,” note the r and n look similar to an m. Passkeys do not respond to mismatched origins, so the fraudulent domain cannot produce a valid authentication prompt.

Multifactor authentication fatigue and push bombing
Push-based MFA depends on human approval. Attackers overwhelm users with repeated prompts until they accept one by mistake. Passkeys remove this vector entirely because the authentication flow does not include “approve” or “deny” actions.

For insight into strengthening authentication visibility across your organization, review the Bitwarden Access Intelligence overview.