Subscribe to the Non-Human & AI Identity Journal

Why do passkeys reduce fraud better than passwords or SMS codes?

Passkeys reduce fraud because they bind the authentication ceremony to the registered device and the registered origin. Passwords and SMS codes can be phished, relayed, or replayed from another machine. A passkey response cannot be completed without the original device, which sharply limits remote misuse.

Why This Matters for Security Teams

Fraud reduction is not only about stronger login screens. It is about reducing the value of stolen credentials, blocking replay, and making remote abuse harder to scale. Passwords and SMS codes fail because they can be harvested, phished, or relayed after the fact. Passkeys raise the bar by binding authentication to the registered device and the registered origin, which is why they are increasingly treated as a practical phishing-resistant option in the NIST Cybersecurity Framework 2.0 context.

That matters most where fraud paths are automated. Attackers rarely stop at one account, especially when passwords are reused or when SMS-based one-time codes are intercepted through SIM swap, message forwarding, or real-time phishing kits. NHI Management Group’s Ultimate Guide to NHIs shows how identity misuse becomes an enterprise-scale problem once stolen credentials are easy to replay and hard to govern. Passkeys do not solve every fraud pattern, but they reduce the attack surface in a way legacy factors cannot. In practice, many security teams encounter the weakness of SMS and password-based flows only after account takeover patterns have already begun to spread.

How It Works in Practice

Passkeys reduce fraud because the private key stays on the user’s device and the authentication response is bound to the legitimate origin. A phisher can trick a person into entering a password or reading an SMS code, but that same attacker cannot easily reuse a passkey response from another device or another site. This changes fraud economics: the attacker now needs control of the device, not just the secret.

For security teams, the practical value comes from three properties. First, the challenge is cryptographic, so the verifier checks proof of possession rather than a shared secret. Second, the ceremony is origin-bound, which breaks common phishing-and-relay paths. Third, the factor is typically device-backed, so the compromise window is narrower than long-lived credentials. That aligns with the risk reduction goals discussed in Ultimate Guide to NHIs, where credential replay and poor lifecycle control are recurring causes of exposure.

  • Prefer passkeys for high-risk consumer and workforce sign-ins where phishing resistance matters.
  • Keep SMS only as a fallback, not the primary fraud control, because it is vulnerable to interception and social engineering.
  • Use risk signals such as device reputation, step-up checks, and anomaly detection to complement passkeys.
  • Plan recovery carefully so account restoration does not become the weakest link.

Passkeys are strongest when paired with identity proofing, session monitoring, and strong recovery governance. They tend to break down when account recovery still relies on weak channels, because attackers simply bypass the better factor by abusing the fallback path.

Common Variations and Edge Cases

Tighter authentication often increases onboarding and recovery overhead, requiring organisations to balance fraud reduction against support friction and device-loss scenarios. That tradeoff is real, especially for customer-facing systems where convenience pressure is high. Current guidance suggests treating passkeys as the preferred factor for phishing-resistant authentication, while keeping alternate flows narrowly scoped and heavily monitored.

Not every environment can move at the same pace. Shared devices, legacy applications, and regulated workflows may still require transitional controls. In those cases, passkeys should be introduced where fraud risk is highest, then expanded as application support matures. The broader lesson from NHI management is that weak lifecycle controls create lasting exposure: the Ultimate Guide to NHIs notes that 91.6% of secrets remain valid five days after notification, which illustrates how slowly organisations often remove compromised access.

For standards alignment, the most defensible position is simple: use passkeys where phishing resistance is required, retain SMS only as a constrained fallback, and verify that recovery, device binding, and session controls are equally strong. Fraud control fails when one strong factor is paired with one weak escape hatch.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-7 Phishing-resistant authentication directly supports stronger access control.
OWASP Non-Human Identity Top 10 NHI-05 Credential replay and weak lifecycle controls map to NHI authentication risk.
NIST AI RMF Risk governance applies when authentication must withstand automated abuse.

Adopt phishing-resistant sign-in for high-risk accounts and phase out SMS as the primary factor.