Bottom line: Passwordless authentication methods such as FIDO2 and Passkeys replace vulnerable password-based MFA and reduce the risk of phishing, SIM-swaps, and credential stuffing.
Multi-factor authentication (MFA) is established, but password-based implementations remain vulnerable. FIDO2 security keys, Passkeys and biometrics address structural weaknesses that are systematically exploited by modern attack patterns.
Multi-factor authentication (MFA) has become the standard procedure for identity verification at login. However, many implementations use a password as the first factor and supplement this with authenticator apps, email, SMS or similar methods. This architecture has structural weaknesses: the persistent password remains the central attack vector, even when a second factor is added.
The US security agency NIST states in the current revision of its Digital Identity Guidelines (SP 800-63-4) that password-based MFA is susceptible to phishing. The Swiss Federal Office of Cybersecurity documented a case from 2024 in which attackers first intercepted the password of a mobile phone account through phishing, then obtained the one-time password from a fake competition website and finally accessed SMS-based authentication via SIM-swap – resulting in five-figure franc damages to bank accounts and cloud storage. Further weaknesses arise from prompt bombing (unintentional confirmation of push notifications), credential stuffing with reused passwords from the dark web, and compromised recovery processes.
Passwordless methods represent an architectural principle that current security regulations explicitly recommend. FIDO2 security keys (USB stick, badge) generate asymmetric key pairs, with the private key remaining on the device and the public key stored in the authentication system. Passkeys can be stored in system keychains (iOS, Android, ChromeOS) or on hardware tokens. Biometric authentication (fingerprint, facial recognition) requires that biometric templates do not leave the device. For critical infrastructures (healthcare, government agencies), device-bound smart cards and badges with tap-and-go functionality are established.
The Federal Office for Information Security (BSI) recommends implementing passwordless methods wherever services technically permit. They offer phishing resistance because the authentication mechanism is cryptographically bound to the legitimate website or application and cannot be compromised through phishing messages.
Source: www.it-daily.net · Published 9 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.