Passkeys are the new hotness in MFA

Saturday, December 06, 2025

Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.

Posted by LampLighter at 09:40 PM | 2 COMMENTS | permalink | Comment on This Entry |

Alternate links: Google News | Twitter

Comments

Admin's note: Participants in this discussion must follow the site's moderation policy. Profanity will be filtered. Abusive conduct is not allowed.

More from the article ...

... The rise of passkeys

MFA methods typically fall into three categories: Something you know (a password, code, or security question), something you have (like a token or a smartphone), or something you are (like fingerprints or facial scans). They include hardware tokens, authenticator apps, passcodes sent via SMS or email, push notifications to approve a login on a connected device, and biometrics using physical traits to verify a person's identity.

Historically, authentication used the "something you know" model, where two parties -- a user and a server, or two devices -- prove their identity by both knowing a secret like a password or code. The problem here is that someone can guess your secrets, or maybe you put it on a sticky note or in a plaintext file on your desktop.

Criminals can also phish these secrets via phony websites that prompt users to enter their username and password, and intercept one-time passwords (OTP) sent via SMS or email by redirecting the messages before they reach the intended recipient.

"So one of the things that we're seeing is the whole movement away from passwords to passkeys -- a certificate-based authentication wrapped in a usability shrink wrap," Forrester VP and analyst Andras Cser told The Register. ...

#1 | Posted by LampLighter at 2025-12-06 09:42 PM | Reply

@#1

A bit of a deep dive (understatement).

I have noticed that it is now more difficult to log into some of my finance-orients websites of late.

For example, ssa.gov now requires my to provide a one-time-password, given to me via a progam that I can run on my smartphone. I chose nt to run that app on my smartphone, due to the inherent insecurity I see in smartphones.

Instead, I installed the one time password program on a FreeBSD client here.

And it works smoothly. But it is also another step wen I try to view my ssa.gov account.

And that is the trade-off with added security. In order to make it more difficult for bad actors, it has to also be more difficult for me.

imo, that is the issue that needs to be solved without someone like google tracking all my moves.

#2 | Posted by LampLighter at 2025-12-06 09:48 PM | Reply