INSIGHTS · IDENTITY · 2026
Not All MFA Is Equal: Passkeys, Security Keys, and the Death of the Six-Digit Code
"We have MFA" now means five different things, and attackers have solved the weakest three. If your second factor is a code someone can be talked out of, you have a speed bump, not a lock.
The MFA ladder, weakest to strongest
SMS codes — better than nothing, defeated by SIM swaps and simple "read me the code" phone calls. App codes (TOTP) — kills SIM swapping, still phishable: a fake login page relays your code in real time. Push approvals — convenient, and the source of "MFA fatigue" attacks: spam someone at 1 AM until they tap approve. Passkeys and hardware keys (FIDO2) — the answer. The credential is cryptographically bound to the real site, so a convincing fake page gets nothing. There is no code to read, relay, or approve. Phishing-resistant isn't marketing language; it's a different mechanism.
What a business rollout actually looks like
Passkeys are built into the phones and laptops your team already carries — most companies need to buy exactly two hardware keys per privileged admin (one to use, one in the safe) and zero for everyone else. The work is sequencing, not shopping: admins and finance first (the accounts attackers actually want), then everyone at the identity layer — Entra ID or Google Workspace — with conditional access enforcing it, legacy protocols that bypass MFA turned off, and the recovery path hardened so the help desk doesn't become the new weakest link. That last item is the one everyone forgets: attackers who can't beat your passkey will simply call and ask for a reset.
Why this is the highest-ROI security money you'll spend
Stolen credentials open more doors than any malware. Moving your privileged accounts to phishing-resistant factors closes the single most-used entry point in modern breaches — for roughly the cost of one nice office chair. It's the first change we make in every security engagement and part of week one of managed IT onboarding: identity is the perimeter now, so that's where the reinforcement goes first.
Not sure what flavor of MFA your business is actually running — or whether legacy protocols are quietly bypassing it? That's a ten-minute check inside the free IT risk assessment.
Richard on MFA, from our YouTube channel — 10,000+ subscribers.