# Why passkeys are phishing-resistant multifactor authentication

When a passkey is used, authentication is tied to the legitimate website and relies on cryptographic proof, learn more about passkey security today!

---

Passkeys are a phishing-resistant multifactor authentication (MFA) method that can be used as a standalone authentication factor or alongside passwords in hybrid deployments. When a passkey is used, authentication is tied to the legitimate website and relies on cryptographic proof rather than one-time verification codes that must be manually entered or approved. This FAQ explains why and how passkeys are more secure than SMS codes, authenticator apps, and push notifications.

### **Can passkeys work without passwords?**

Yes. Passkeys can function as a complete authentication solution in passwordless deployments because they're inherently multifactor. They require device possession plus biometric or PIN verification. Organizations can also use passkeys as an additional authentication factor alongside passwords, giving teams flexibility to choose the approach that fits their security policies and user workflows.

### **What makes passkeys a “phishing resistant” multifactor authentication?**

Passkeys are cryptographically secure and use advanced encryption and mathematical functions to be unguessable and nearly impossible to phish, making them a form of phishing-resistant multifactor authentication. Three properties define this class of MFA.

**Origin binding**The authenticator verifies the website or app requesting the login and only responds when the domain is legitimate (see [<u>How Do Passkeys Work</u>](https://bitwarden.com/it-it/blog/how-do-passkeys-work/)). This prevents look-alike sites from triggering a valid sign-in.

**Challenge-response**Each login uses a unique, short-lived challenge generated by the service. The authenticator signs this challenge with a private key. There is no reusable information for an attacker to capture and forward to the real site (relay attack) or save to attempt later (replay attack).  

**No shared secrets**The private key remains on the user’s device and is never transmitted during authentication. The service/website stores only a public key, which cannot be used to generate a valid login or impersonate the user.

For more background on how authentication is shifting in the enterprise, see[ passwordless authentication adoption](https://bitwarden.com/it-it/blog/what-passwordless-adoption-means-to-enterprises/).

### **Why other methods are less secure**

Passkeys meet all three phishing-resistant MFA requirements. They tie authentication to the real domain, respond only to server-generated challenges, and never expose a shared secret.

By comparison, common multifactor authentication methods can be intercepted or relayed:

- **SMS codes** can be stolen through malware, SIM swaps, or real-time relay kits.
- **Authenticator app TOTPs** are temporary, but still reusable for a short period and can be harvested via spoofed websites.
- **Push approvals** are susceptible to repeated prompt attacks (also known as 2fa bombing), where users approve a request out of confusion or fatigue.

Passkeys meet the phishing-resistant MFA criteria from NIST, Microsoft, and other major providers.

#### **Phishing-resistant MFA examples**

**Real-time multifactor authentication relay kits**Relay kits create a proxy between users and fake login pages, capturing passwords and one-time codes and forwarding them to the real site. Passkeys prevent this attack because no reusable code exists and the signed challenge cannot be reused.

**Look-alike domain traps**Attackers register domains that closely resemble legitimate websites and direct victims to enter credentials. One recent example was “rnicrosoft.com vs. microsoft.com,” note the r and n look similar to an m. Passkeys do not respond to mismatched origins, so the fraudulent domain cannot produce a valid authentication prompt.

**Multifactor authentication fatigue and push bombing**Push-based MFA depends on human approval. Attackers overwhelm users with repeated prompts until they accept one by mistake. Passkeys remove this vector entirely because the authentication flow does not include “approve” or “deny” actions.

For insight into strengthening authentication visibility across your organization, review the[ Bitwarden Access Intelligence overview](https://bitwarden.com/it-it/blog/introducing-bitwarden-access-intelligence-proactive-security-protection/).

## If exploring cross-device sign-in options, see How to log in with another device.

If exploring cross-device sign-in options, see[ How to log in with another device](https://bitwarden.com/it-it/blog/how-to-log-in-with-another-device/).

## Ottieni subito una sicurezza per le password potente e affidabile. Scegli il tuo piano.

## Personale

### Hai appena iniziato?

*Ottieni una gestione di base delle password oggi stesso. Sempre gratis.*

[Crea un account gratuito](https://bitwarden.com/go/start-free/)

---

### Premium

**$1.65** *al mese*

*Con fatturazione annuale a 19,80 USD*

Scopri le funzionalità premium

- Autenticatore integrato
- Allegati file
- Accesso di emergenza
- Blocco del phishing
- Report di sicurezza e altro

Condividi gli elementi della cassaforte con un altro utente

[Crea un account Premium](https://bitwarden.com/go/start-premium/)

---

### Famiglie

**$3.99** *al mese*

*Fino a 6 utenti, con fatturazione annuale a 47,88 USD*

Proteggi gli accessi della tua famiglia

- 6 account premium
- Condivisione illimitata
- Raccolte illimitate
- Spazio di archiviazione dell’organizzazione

Condividi gli elementi della cassaforte tra sei persone

[Inizia la prova gratuita per Famiglie](https://bitwarden.com/go/start-families-trial/)

---

Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse.

## Business

### Teams

*Per team e aziende in crescita che devono muoversi rapidamente.*

**$4** *al mese / per utente, con fatturazione annuale*

**Nessun compromesso**

Tutte le funzionalità Premium, più funzionalità avanzate come:

- Condividi le credenziali in modo sicuro
- Controlla le attività con i log eventi
- Sincronizza la directory esistente
- Automatizza il provisioning con SCIM

[Avvia la prova gratuita](https://bitwarden.com/go/start-teams-trial/)

---

### Enterprise

*Per aziende che necessitano di protezione e controllo avanzati.*

**$6** *al mese / per utente, con fatturazione annuale*

**Massima protezione**

Tutte le funzionalità Premium e Teams, più funzionalità di livello enterprise come:

- Controllo granulare degli accessi
- Integrazione SSO senza password
- Recupero account semplificato
- Flessibilità di self-hosting
- Mitigazione dei rischi con Access Intelligence [novità]
- Piano Families gratuito per tutti gli utenti

[Avvia la prova gratuita](https://bitwarden.com/go/start-enterprise-trial/)

---

### Parla con il team vendite

*Per le grandi organizzazioni, parla con un esperto di un piano su misura e scopri come Bitwarden può:*

*al mese*

- Ridurre il rischio di cybersecurity
- Aumentare la produttività
- Integrarsi perfettamente

Bitwarden si adatta ad aziende di qualsiasi dimensione per portare la sicurezza delle password nella tua organizzazione

[Parla con il team vendite](https://bitwarden.com/talk-to-sales)

---

Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse.