Passkeys and MFA

Multi-factor authentication, sometimes referred to as two-factor authentication (MFA and 2FA, respectively) has for years been a way to enhance security online.

MFA can protect your site's users from the impact of other website's data breaches.

What is MFA?

MFA is a way to combine different types of authentication information to increase confidence that someone is who they claim to be. For example, if someone else knows your password, an MFA requirement might mean they still need access to your mobile phone to sign in to your account.

There are three common factors:

🧠 Knowledge

Something you know

Typically, this is a password or passphrase. Maybe it's the middle name of your third grade teacher, or something else you can probably dig up on Facebook.

Please don't use or support "security questions". They are grossly insecure, despite the name.

🗝️ Possession

Something you have

Often a device, such as your mobile phone or external security key. If you've been prompted to set up Google Authenticator or a similar tool, it's this.

Unlike the keys to the lock on your front door, possession factors are designed to be copy-proof.

👁️ Inherence

Something you are

Biometric information, such as a fingerprint, faceprint, or eye scan. If you've heard of Face ID or Touch ID from Apple, they are biometrics (many other vendors offer similar functionality).

MFA vs 2FA

Multi-factor authentication is auth using more than one factor, while (surprise!) two-factor auth is always two factors. For the most part, the two terms are used interchangeably.

Note that in both cases, it's necessary to have different factors. For example, a setup that uses a password and PIN is still one-factor (but two-step) auth; functionally this is the same as having a longer password.

Common MFA approaches

The most widely-used forms of MFA are SMS codes and TOTP1, a.k.a. "Google Authenticator".

Sometimes you'll get a one-time code by email, or have to approve a new session from an app on your phone. Several years ago, support for hardware security keys started to roll out, though with relatively low adoption outside of security-critical applications.

Our article on going passwordless explains these in more detail - the premise is the same whether they're used as a first or second factor.

How do passkeys fit in to MFA?

Passkeys, which are based on cryptographic key pairs, always function as a possession factor. That means passkeys can be used for a low-friction MFA experience.

If you want to add MFA support to your password-based site, passkeys are a great way to do so. They're more secure than SMS, and easier to set up and use than external apps.

But wait, there's more!

Most devices and operating systems offer biometric protection for passkeys. That means that in addition to being a strong possession factor, they can also offer two factors at the same time2.

Passkeys allow you to offer passwordless, two-factor authentication in a single button click.

This means fewer account lock-outs and customer support requests, and significantly higher sign in success rates for returning users.

Try passkeys today

Want to benefit from all of this without all the complexity? SnapAuth is here to help! Seamlessly improve your sign-in experience today.

Get started for free


  1. Time-based One Time Passwords (RFC6238) 

  2. The cryptographic data in a WebAuthn response indicates if this was the case with a user verified bit. Sadly at this time, it doesn't indicate how the user was verified, but the WebAuthn working group is exploring this as an additional feature, and SnapAuth is ready to add support when that happens.