FIDO2 binds the authentication response to the relying-party origin, so a lookalike site cannot reuse the assertion. OTP codes can be relayed in real time and are still shared secrets at the moment of use. Passkeys keep the cryptographic benefit while improving usability, but they still depend on sound enrollment and recovery controls.
Why This Matters for Security Teams
Phishing resistance is not just about stopping credential theft at the login box. Security teams also need an authentication method that prevents an attacker from replaying what they captured on a fake site, in a proxy, or during a real-time relay attack. That is why FIDO2 and passkeys are treated differently from OTP codes in most modern identity guidance, including the NIST SP 800-63 Digital Identity Guidelines.
The practical gap is simple: OTPs are still secrets at the moment of use, so a user can be tricked into handing them over and an attacker can immediately reuse them. FIDO2 authenticators instead sign a challenge that is bound to the relying-party origin, which makes the response useless on a lookalike domain. That origin binding is what breaks the most common phishing relay pattern, not just stronger password policy.
NHIMG research shows how often identity weaknesses become operational incidents. In the Ultimate Guide to NHIs, 79% of organisations reported secrets leaks and 77% of those incidents caused tangible damage, which reinforces how often shared secrets fail in the real world. In practice, many security teams encounter relay abuse only after a user has already approved the wrong prompt or typed a code into the attacker’s proxy.
How It Works in Practice
FIDO2 reduces phishing risk because the authenticator does not simply prove that a user saw a prompt. It proves that the response was created for a specific origin and challenge, using public-key cryptography. The browser, authenticator, and relying party all participate in that check, so a fake login page cannot forward a valid assertion to the real service in the same way it can forward an OTP.
OTP codes work differently. A code generated by SMS, app, or token is usually a short-lived shared secret. That is better than a password alone, but it can still be relayed in real time if the user is deceived. The threat model is especially weak against adversary-in-the-middle phishing kits that copy the session as it happens.
For practitioners, the main implementation advantages of passkeys are:
- Origin-bound assertions that block simple credential replay on spoofed domains.
- Private keys stored in secure hardware or platform authenticators, not typed or transmitted as shared secrets.
- Better user experience, which usually increases adoption and reduces workarounds.
- Support for strong, passwordless flows when enrollment and recovery are designed well.
That last point matters. Passkeys inherit the cryptographic benefit of FIDO2, but they still depend on sound lifecycle controls: initial enrollment, device binding, recovery, and step-up handling for high-risk actions. For broader identity hygiene, the Top 10 NHI Issues illustrates the same pattern in machine identity contexts, where weak lifecycle discipline turns good cryptography into weak operations. These controls tend to break down in highly distributed environments where legacy apps still require OTP fallbacks, because fallback paths often become the attacker’s easiest route.
Common Variations and Edge Cases
Tighter authentication often increases operational friction, requiring organisations to balance phishing resistance against enrollment complexity, device loss recovery, and legacy application compatibility. Best practice is evolving here rather than settled, especially where passkeys must coexist with older MFA methods.
One common edge case is fallback logic. If a service allows SMS OTP, email OTP, or recovery codes after users enrol passkeys, the phishing-resistant posture can collapse back to the weakest factor. Another is shared or high-friction environments such as call centres, kiosks, and contractor-heavy workflows, where device binding and recovery may need compensating controls.
Passkeys also do not eliminate account takeover risk if the attacker controls the session after authentication, if recovery is weak, or if users are trained to approve unexpected prompts. For that reason, current guidance suggests treating FIDO2 as a major reduction in phishing exposure, not as a complete identity security programme. The strongest deployments combine passkeys with risk-based step-up, strict recovery verification, and removal of OTP as a routine fallback wherever possible. The NIST Cybersecurity Framework 2.0 is useful here because it pushes teams to align authentication choice with governance, detection, and recovery, not just initial sign-in.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers phishing-resistant identity design and secret exposure risks. |
| NIST SP 800-63 | IAL/AAL guidance | Defines phishing-resistant authenticators and assurance levels for digital identity. |
| NIST CSF 2.0 | PR.AC-7 | Supports strong authentication and verification of user access. |
Use phishing-resistant authenticators and validate fallback paths against the required assurance level.
