Why is passkey the recommended MFA?
Easier day to day (device biometric, no codes to type) and more secure (phishing-resistant and device-bound) than SMS or Authenticator app codes.
Two reasons: easier day-to-day and more secure.
Easier: No waiting for SMS codes to arrive (which can be slow or unreliable, especially internationally), no need to open an authenticator app and read off a 6-digit code under time pressure. Passkey login uses the device's existing biometric (Face ID, Touch ID, Windows Hello) or PIN - the second factor is just an additional tap, not an additional step.
More secure: Passkeys are bound to the device and phishing-resistant. The cryptographic mechanism means even if an attacker tricks the user into entering credentials on a fake site, the passkey won't authenticate against the fake site because the domain doesn't match. SMS codes, by contrast, can be phished (the user types them into the wrong site, or they're intercepted via SIM-swap attacks).
Trade-off: Passkey requires a modern device and a brief one-time setup. Once set up, it's lower-friction than the alternatives. For users who can't use passkey (older devices, shared workstations), authenticator app is the next-best choice.
Related articles
- What MFA options does easyAML support?
- How is 2FA configured if SMS isn't suitable - Authenticator App?
- Can each staff member share an info@ inbox, or do they need individual emails?
- Can virtual assistants (e.g. Philippines-based) be set up with restricted access?
- Why might a 2FA SMS code be rejected as 'invalid'?