Passkeys reduce reliance on shared secrets and are resistant to common phishing paths that undermine passwords and OTP-based flows. The practical difference is that passkeys move the primary verification step to a cryptographic authenticator, which is harder to replay or intercept.
Why This Matters for Security Teams
Passkeys are not just a better login experience. They change the risk model by removing the shared secret that password and OTP flows depend on, which is where phishing, replay, and credential stuffing do most of their damage. For security teams, the practical question is whether the organisation is reducing the likelihood of account takeover or simply adding another factor that can still be socially engineered.
This matters because identity attacks usually succeed at the point where humans and reusable secrets intersect. Password-based multifactor sign-in improves assurance, but it often still leaves the password exposed to phishing and the second factor exposed to push fatigue, interception, or adversary-in-the-middle attacks. NIST’s control guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls emphasises stronger authenticators and resilient access control, while NHI research shows how persistent secrets and weak lifecycle practices continue to drive compromise paths in real environments.
NHI Management Group’s Ultimate Guide to NHIs — Why NHI Security Matters Now highlights that secrets-based identity remains a major exposure area across enterprises. In practice, many security teams discover the weakness of password-plus-OTP sign-in only after a phishing kit or session theft campaign has already bypassed it.
How It Works in Practice
Passkeys rely on public key cryptography, so the private key stays bound to the user’s device or platform authenticator and is not shared with the service. That makes them resistant to classic phishing because there is no password for a user to type into a fake site and no OTP for an attacker to intercept and replay. For risk reduction, this is a material shift: the authenticator proves possession of a device-held key, rather than proving that a human remembered a secret.
Password-based multifactor sign-in still has value, but its risk reduction depends on factor quality. SMS and OTP apps reduce exposure compared with passwords alone, yet they remain vulnerable to real-time phishing, social engineering, and session hijacking. Current guidance from NIST Cybersecurity Framework 2.0 and the evolving passkey ecosystem points toward phishing-resistant authentication as the stronger option when the threat model includes external attackers actively targeting login flows.
For teams comparing the two, the operational differences usually come down to:
- Passkeys eliminate shared secrets from the primary sign-in path.
- Password-based MFA still depends on a password, so the first factor remains phishable.
- Passkeys can improve user experience by reducing login friction, which often improves adoption.
- Password-based MFA may be easier to roll out in legacy environments, but it leaves more residual risk.
NHI management guidance in the Ultimate Guide to NHIs — Key Challenges and Risks is relevant here because the same pattern appears across machine identities: reusable secrets create durable attack paths, while cryptographic proof reduces replay opportunities. These controls tend to break down in environments that still rely on legacy apps, unsupported browsers, or recovery workflows that silently fall back to passwords and OTP.
Common Variations and Edge Cases
Tighter authentication usually improves security but can increase recovery overhead, device dependency, and help desk complexity, so organisations need to balance phishing resistance against operational friction. That tradeoff is especially visible when users need cross-device access, shared workstations, or regulated fallback procedures.
Passkeys are not a universal fix. They reduce risk most effectively when the service supports them end to end, when account recovery is also hardened, and when fallback methods do not reintroduce the same phishing problems. If a platform offers passkeys but still allows weak recovery through email links, SMS resets, or bypass codes, the overall risk reduction is limited. This is why guidance is still evolving on how to measure “phishing resistance” across the full identity lifecycle.
For high-assurance environments, passkeys should be paired with session controls, device posture checks, and strong recovery governance. For mixed estates, a phased model is often more realistic: deploy passkeys for high-value users first, retain password-based MFA only where needed, and monitor whether fallback paths are becoming the real attack surface. NHI Management Group’s Top 10 NHI Issues shows the broader lesson: security gains disappear when lifecycle exceptions, unmanaged fallbacks, or long-lived secrets are allowed to persist.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Compares secret-based auth with stronger identity controls for phishing resistance. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication strength are central to reducing account takeover risk. |
| NIST SP 800-63 | AAL2 | Authentication assurance levels frame why passkeys outperform password-based MFA. |
| NIST AI RMF | Authentication risk management should consider user, device, and fallback contexts. | |
| OWASP Agentic AI Top 10 | LLM-03 | Phishing-resistant auth reduces misuse paths where agents or automated workflows invoke identities. |
Replace reusable secrets with stronger, cryptographic authenticators and remove weak fallback paths.