Passkeys: The Phishing-Resistant MFA Worth Adopting

Natalie Hoffmann··7 min read
Person signing in to a laptop with a fingerprint instead of a password

Why Passwords Keep Losing to Phishing

Most authentication advice for the last decade has been a patch on a broken foundation. Use longer passwords. Add a second factor. Match the number on the screen. Each layer helps, but they share one fatal property: a secret travels between the user and the service, and anything that travels can be intercepted, replayed, or tricked out of a person.

That is exactly what modern phishing exploits. Adversary-in-the-middle (AiTM) kits proxy the real login page in real time and steal the authenticated session cookie, sailing straight past one-time codes. Push-bombing fatigues a user into tapping approve just to make the prompts stop. SIM-swap attacks hijack the phone number that SMS codes depend on. The common thread is that a human and a shared secret stand between the attacker and the account.

If there is no secret to steal and the credential refuses to work anywhere except the legitimate site, the entire phishing playbook collapses. That is the promise of passkeys.

What Makes Passkeys Phishing-Resistant by Design

A passkey is built on the FIDO2 standards, which combine WebAuthn (in the browser) and CTAP (between the browser and your device). Instead of a shared password, the service stores a public key and your device keeps the matching private key. The private key never leaves the device. Sign-in works by the device proving it holds the key, unlocked locally with a biometric or PIN.

Two structural properties do the heavy lifting:

  • No shared secret in transit. There is nothing for an AiTM proxy or a fake page to capture and replay. The private key is never transmitted, and the cryptographic challenge it answers is single-use.
  • Origin binding. The credential is cryptographically tied to the real site's domain. If a user lands on a lookalike domain, the browser simply will not produce a valid response. The mismatch breaks the exchange automatically, with no judgment call required from the person.

This is why the FIDO Alliance describes passkeys as phishing-resistant by design: the protocol removes the decision that attackers rely on. The user does not have to spot a subtly misspelled URL under pressure, because the credential will not fire on the wrong origin in the first place.

The result is that the three attacks that defeat conventional MFA all fail. AiTM has no token to relay. Push-bombing has no prompt to spam, because approval is local and tied to the right site. SIM-swap is irrelevant, because no code is sent to a phone number.

The Platforms Are Already Moving

Passkeys are no longer experimental. Apple, Google, and Microsoft all ship them across consumer and enterprise products, and major SaaS platforms including GitHub, Okta, and Salesforce support them. In May 2025, Microsoft announced that all new Microsoft accounts are passwordless by default, steering users toward passkeys to blunt phishing, brute-force, and credential-stuffing attacks. Microsoft Entra has extended passkey sign-in to Windows so workforce accounts can authenticate without a password at all.

For security and IT leaders, the signal is clear: passwordless is becoming the default posture, and the question is shifting from whether to adopt passkeys to how quickly you can roll them out without breaking your users' day. Regulators and insurers are moving in the same direction, increasingly treating phishing-resistant authentication as the expected standard for privileged and high-value accounts rather than a nice-to-have. Waiting now means catching up later under more pressure.

How to Roll Out Passkeys Without Friction

Passkeys succeed or fail on the rollout, not the technology. A phased approach keeps support tickets low and adoption high.

  1. Start where the blast radius is largest. Enable passkeys first for administrators, finance, and anyone with privileged access. These are the accounts AiTM kits hunt for, and the smaller population makes early support manageable.
  2. Make enrollment the easy path. Prompt users to create a passkey during a routine sign-in rather than as a separate chore. Synced passkeys (backed up to a platform account) lower the lost-device anxiety that stalls hardware-only programs.
  3. Plan recovery before you start. Decide in advance how a user re-enrolls after losing a device. A weak fallback to SMS or security questions quietly reopens the phishing door you just closed, so route recovery through a verified, attended process.
  4. Retire weak factors deliberately. As passkey coverage grows, phase out SMS and basic push for high-value accounts. Leaving an unprotected backup method in place lets attackers simply downgrade to it.
  5. Measure coverage, not just enrollment. Track the share of sign-ins using passkeys, not just the count of registered credentials. A registered passkey that nobody uses protects no one.

Bringing Users Along: The Awareness Message

Technology rollouts stall when people do not understand the why. The awareness message for passkeys is refreshingly positive, and it is a natural fit for security awareness training: this change makes signing in faster and easier, not harder. There is nothing to remember, nothing to type, and nothing a scammer can phish out of you.

Frame it in plain terms for staff:

  • A passkey is like a key that only fits one lock. It will not turn on a fake site, so a convincing phishing page cannot use it.
  • You unlock it with your face, fingerprint, or device PIN. That unlock stays on your device.
  • No code arrives by text, so nobody can trick you into reading one out or tapping the wrong prompt.

Address the Common Objections Head-On

A few questions come up in nearly every rollout, and answering them up front prevents resistance:

  • "What if I lose my phone?" Synced passkeys are backed up to your platform account and restored to a new device, and most people register more than one. Losing a device is an inconvenience, not a lockout.
  • "Is my fingerprint sent to the website?" No. The biometric only unlocks the key locally on your device and never leaves it. The site only ever sees a cryptographic proof.
  • "Is this less secure than my long password?" It is dramatically more secure, because there is no password for anyone to phish, guess, reuse, or leak in a breach.

Passkeys do not replace good security habits everywhere, and most organizations will run them alongside other controls during transition. That makes it worth reinforcing the human layer in parallel. empowsec phishing simulations let you confirm that credential-harvesting and AiTM-style lures land far less often once passkeys are in place, and a teachable-moment debrief turns any remaining slip into a short, specific lesson. Behavior-based reporting then shows leadership the before-and-after on susceptibility, tying the rollout to a measurable drop in risk.

Key Takeaways

  • Passkeys remove the secret. With no password or code in transit, AiTM, push-bombing, and SIM-swap attacks lose their target.
  • Origin binding does the hard part for users. The credential refuses to work on lookalike domains, so people no longer have to catch a fake URL under pressure.
  • The major platforms are defaulting to passwordless. Microsoft, Google, Apple, and the FIDO Alliance have made passkeys the mainstream direction for 2025-2026.
  • Roll out in phases. Begin with privileged accounts, plan secure recovery, and retire weak fallback factors so attackers cannot downgrade around you.
  • Sell the upside. Passkeys are faster and unphishable. Pair the rollout with security awareness training and phishing simulation to prove the risk reduction to your board.
Share: