Passkeys provide the strongest phishing resistance because they use cryptographic keys bound to a device or authenticator, while methods like magic links and OTPs still rely on delivery channels that can be intercepted or abused. Teams should reserve passkeys for higher-assurance use cases and use weaker methods only where the risk profile supports them.
Why This Matters for Security Teams
Passkeys are not just a nicer login experience. In practice, they change the trust model by binding a credential to an authenticator and using public-key cryptography instead of a shared secret. That makes them materially harder to phish than passwords, OTPs, or magic links, which still depend on a delivery path that can be redirected, replayed, or socially engineered. NIST’s NIST Cybersecurity Framework 2.0 frames this as an identity assurance and access control problem, not just an authentication UX upgrade.
For security teams, the practical issue is choosing the right method for the right risk. Passkeys are strongest when the user, device, and recovery process can all be governed. Magic links and OTPs can be acceptable for lower-risk flows, but they should not be treated as equivalent to phishing-resistant authentication. NHIMG’s Ultimate Guide to NHIs shows how often identity controls fail when teams rely on convenience over assurance, especially where credentials or secrets are broadly exposed. In practice, many teams discover the weakness of “passwordless” only after a mailbox, SMS channel, or recovery path has already been abused.
How It Works in Practice
Passkeys are typically based on FIDO2/WebAuthn, where the authenticator creates and stores a private key and the service keeps only the public key. The user proves possession through a signed challenge, and the origin binding helps stop credential replay on lookalike sites. That is the main practical difference from other passwordless methods: there is no shared secret to steal from the user or intercept in transit.
Other passwordless methods remove the password but keep a weaker factor in the path:
Magic links depend on email security and mailbox access. If an inbox is compromised, the login link is effectively compromised too.
OTP via SMS or email is susceptible to interception, SIM swap, push fatigue, relay attacks, and help-desk social engineering.
Device-based approvals can be stronger than OTPs, but their assurance depends on whether the device is enrolled, managed, and protected against session theft.
The operational decision is not “passwordless or not.” It is whether the method resists phishing, whether recovery preserves the same assurance level, and whether the help desk can rebind identity without weakening it. The Schneider Electric credentials breach is a reminder that identity failures often begin with compromised access paths rather than a direct cryptographic break. For implementation planning, NIST guidance and the NIST Cybersecurity Framework 2.0 both support stronger authentication where the threat model justifies it.
These controls tend to break down when recovery, enrollment, or account support workflows still rely on weak verification, because the attacker simply targets the exception path instead of the login prompt.
Common Variations and Edge Cases
Tighter authentication often increases enrollment, recovery, and device-management overhead, so organisations have to balance phishing resistance against user friction and support cost. That tradeoff is especially visible when the workforce includes contractors, shared devices, or customers who cannot be forced onto managed hardware.
Current guidance suggests treating passkeys as the preferred option for high-assurance employee access, privileged access, and sensitive customer accounts, while using weaker passwordless methods only where the risk profile supports them. There is no universal standard for this yet, but best practice is evolving toward passkeys as the primary factor and SMS or email OTP as fallback only, not as an equal alternative.
Edge cases matter:
Cross-device use can improve usability, but it should not weaken verification of the underlying authenticator.
Shared or kiosk devices may block secure passkey storage, making recovery and session controls more important.
Legacy applications often force teams to keep OTP or magic-link paths alive, even when passkeys are available elsewhere.
NHIMG’s research on the broader identity attack surface reinforces a practical point: the strongest authentication method fails if secondary access paths remain weak. The right design is usually tiered authentication, not a blanket claim that all passwordless methods are interchangeable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and auth strength differ across passwordless methods. |
| NIST SP 800-63 | AAL2 | Passkeys and OTPs map to different assurance levels in practice. |
| OWASP Non-Human Identity Top 10 | NHI-04 | Weak recovery and secret handling often undermine passwordless security. |
Secure enrollment, recovery, and fallback paths so they do not bypass the intended auth assurance.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org