Passkeys reduce phishing and interception risk because they use device-bound cryptographic authentication instead of reusable codes. SMS remains vulnerable to SIM swapping, message interception, and social engineering. For high-risk access, organisations should treat passkeys as the preferred factor and reserve weaker methods only for transitional cases.
Why Passkeys Matter More Than SMS for MFA
SMS codes are easy to deliver and easy to attack. Passkeys replace shared, reusable secrets with device-bound cryptographic proof, which sharply reduces phishing, SIM swapping, and interception risk. That matters because identity compromise rarely stops at a single account. Once attackers get one foothold, they often pivot into other systems, including privileged workloads and service accounts described in NHI Mgmt Group research on the Microsoft Midnight Blizzard breach. Current guidance from the NIST Cybersecurity Framework 2.0 supports stronger identity controls as part of a broader risk posture, not as a cosmetic login upgrade.
The practical difference is resilience under attack. SMS depends on telco trust, message routing, and a user correctly spotting a fake prompt. Passkeys depend on private keys that stay on the user’s device and are unlocked locally, which makes them far harder to steal in bulk. For security teams, the question is not whether MFA exists, but whether the factor can survive modern adversary tradecraft. In practice, many security teams encounter password reset abuse and social engineering only after access has already been lost, rather than through intentional identity design.
How It Works in Practice
Passkeys are built on public key cryptography. During enrollment, the device creates a key pair and keeps the private key protected in hardware or a trusted secure enclave, while the public key is registered with the service. At login, the service sends a challenge, and the device signs it after the user approves the action locally. The result is a usable login flow without a reusable secret that can be copied, replayed, or intercepted.
For organisations, the operational benefit is strongest when passkeys are paired with phishing-resistant authentication policy, conditional access, and clear recovery controls. They fit well with modern identity programs that already use NIST Cybersecurity Framework 2.0 functions such as Protect and Detect, because the goal is not just stronger sign-in, but better detection of anomalous access attempts and safer recovery when devices are lost. NHI Mgmt Group data shows why this matters: Microsoft Midnight Blizzard breach illustrates how identity abuse can spread once attackers obtain trusted credentials or tokens, while the broader research shows 91.6% of secrets remain valid five days after notification, a sign that weak credential handling is still common.
A practical rollout usually includes these steps:
- Require passkeys for high-risk users first, such as admins, finance, and support roles.
- Keep SMS only as a temporary fallback, with stricter verification for recovery.
- Use phishing-resistant authentication for privileged access and sensitive actions.
- Monitor sign-in anomalies, device changes, and help-desk recovery patterns.
- Document account recovery so attackers cannot exploit the exception path.
These controls tend to break down when an organisation relies on shared devices, unmanaged BYOD, or weak account recovery processes because the authentication strength is only as good as the recovery and device trust model.
Common Variations and Edge Cases
Tighter authentication often increases rollout friction, requiring organisations to balance phishing resistance against user support burden and legacy compatibility. That tradeoff is real, especially in environments with regulated access, high turnover, or mixed-device populations. Best practice is evolving, but current guidance suggests SMS should be treated as transitional rather than equal to passkeys for assurance.
There are also important edge cases. Some systems cannot support passkeys yet, some workforce groups may share kiosks or constrained devices, and some recovery scenarios still need alternate factors. In those cases, the safer pattern is layered control: strong verification for enrollment, step-up checks for risky actions, and time-bounded exception handling. The key is to avoid turning the fallback into the default.
For mature identity programs, this aligns with the broader lesson from Microsoft Midnight Blizzard breach: attackers look for whichever identity path is weakest, not the one the policy team intended. That is why passkeys are more than a convenience feature. They reduce the chance that a single intercepted code becomes the start of a larger compromise, and they support the shift toward risk-based identity assurance recommended by NIST Cybersecurity Framework 2.0.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication are central to phishing-resistant MFA. |
| NIST SP 800-63 | AAL2 | Passkeys support higher assurance than SMS-based second factors. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak authentication can expose privileged identities and secrets. |
Use phishing-resistant MFA for sensitive access and align recovery with stronger identity proofing.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
