The core idea behind passkeys and 2FA

For years, passwords have been the default data protection method. They were the most reliable available option — a combination of characters bound to a specific username that lets us access our accounts is simple enough for users to understand and for websites or apps to implement.

However, convenience could only go so far. Over time, users started accumulating more accounts and reusing the same passwords for all of them. Even when platforms required mandatory symbols, users would create a variation of the same password with an extra capital letter or a comma. This has turned passwords from a reliable security measure to an easy target for cybercriminals.

Using brute-force and dictionary attacks to guess the most likely password combinations, criminals can gain access to thousands of accounts at once. The problem of weak password usage is global. The NordPass Top 200 Most Common Passwords report has shown that simple combinations like “123456,” “admin,” and “password” are popular in different countries.

To combat the security concerns of password logins, some platforms have started requiring extra verification steps to complete the login process. Some, like two-factor authentication, supplement the password. Others, like passkeys, replace the password step altogether. The goal is to lower the potential risk of data breaches and compromised user accounts.

What are passkeys, and how do they work?

Passkeys are a passwordless authentication method that uses cryptographic key exchange to authenticate a user's login attempts. It’s a project spearheaded by the FIDO Alliance and is built on the public-key infrastructure (PKI) concept.

A passkey replaces the password in the login process. During passkey setup, two keys are generated — a public key stored in the website’s server and a private key stored on the user’s device (usually a phone or a computer). Passkeys run on WebAuthn APIs and protocols to handle the cryptographic key exchange.

Whenever the user tries to log in with a passkey, they receive a prompt on their verification device to perform the authentication action, like entering a specific code or using biometrics. The device then uses its private key to prove to the website the login attempt is legitimate. The website checks the device’s cryptographic key against the public key stored in its server and, if it confirms a match, the login is finalized.

Passkey authentication is considered significantly safer than passwords. The private key necessary for user authentication always remains on the device and doesn’t enter the internet, making it highly improbable for cybercriminals to acquire. If someone wanted to crack a passkey-protected account, they’d need to have the precise device used for authentication on hand. However, this also means that if a user loses or changes their device, they might have a harder time recovering their account and gaining access. To prevent complete loss of access, some platforms allow users to set up a password as an alternative recovery method.

What is two-factor authentication, and what is TOTP?

Two-factor authentication is a type of multi-factor authentication and a supplementary login verification step. Although some platforms make it mandatory for login access, it’s still largely an optional security measure. Once a user enters the correct username and password combination, it triggers the 2FA flow. They then need to use their chosen authentication method to verify the login attempt. If the authentication matches, access is granted, and users can access their account.

Users can choose from different 2FA methods, which may vary depending on the platform:

  • Email authentication. The user receives an email with a limited-time code they need to paste into the login website.

  • Authenticator app. A dedicated authentication app generates one-time codes for multiple accounts at once.

  • Authentication key. The user plugs a hardware key into their device to authorize the login attempt.

  • SMS and voice message. The user receives a text message showing an authentication number or gets a call with a pre-recorded voice reading out the characters.

  • Biometric authentication. The user needs their face or fingerprint ID to complete the authentication.

SMS and voice message authentication are generally considered less secure because criminals can spoof phone numbers and redirect the verification codes to their own devices. However, methods like authentication apps and keys are considered stronger and more reliable. If the user authenticates with a hardware token, they need to do a specific action, like click a button on their computer or enter a specific PIN code. However, some hardware tokens might be incompatible with smartphones, limiting them to computer use only.

Authenticator apps are more flexible and can be used to log in to both mobile and desktop devices. They generate time-based one-time passwords (TOTPs) at intervals, usually every 30 seconds, to make the combination harder to brute force. Typically, users scan a QR code to add a new website to their authentication app. NordPass has its own Authenticator, which lets users generate one-time codes and autofill them alongside their password using the browser extension or mobile app.

Key differences between passkeys and traditional 2FA

Passkeys and 2FA are completely different authentication steps with distinct use cases. Passkeys, like passwords, are considered single-factor authentication. The user can access their accounts after completing a single action — either authenticating their passkey or entering their password. 2FA acts as supplementary support after this first step. Although passkey authentication is considered a strong security measure, users can still add two-factor authentication protection.

Some specific methods of passkey and two-factor authentication can overlap, like using a secure code or a fingerprint to verify the login attempt. In general, passkey authentication methods are safer than some of the ways to verify 2FA-protected accounts. The private and public keys used by passkeys must always match, and each key combination is unique. If the user can’t access the private key, the website’s public key is useless. Some 2FA codes, like the ones sent by email or SMS, can be spoofed or compromised, so if the criminal has both the password and the 2FA code, they can steal the account.

Passkeys offer more convenience with a single-click login. Instead of inputting a username and a password, the user can usually tap a button or enter a quick code. 2FA prolongs the login process by adding an extra requirement, but it ensures the account is safer than if it were protected solely by a password. However, 2FA accounts are usually easier to recover. Users can enter backup codes or use additional contact details — like an email address or a phone number — to prove their identity and regain access. It can be harder to prove the ownership of a passkey-protected account and recover it.

Two-factor authentication is widespread and generally available on most major websites and apps. Some platforms require users to set up 2FA by default to ensure better protection — considering that many websites use lax password requirements, having 2FA as a mandatory step can help protect user data better. Passkey adoption is still growing and not all websites have them available as the primary login method. 2FA is also easier to manage on older devices — not all phone models and operating systems can support passkey logins, so users might be locked out of passwordless authentication by default.

Passkeys vs. 2FA: key differences
Passkeys2FA
Alternative to passwordsSecondary login step
Single factor by defaultA type of multi-factor authentication
FIDO2/WebAuthn standard with public-private key pairsDepends on chosen authentication method (TOTP, email code, voice call, physical key)
More phishing-resistant by designSome types are more vulnerable to phishing and SMS spoofing
Faster login processLonger login process
Harder to recover accountsEasier to use alternative account recovery methods
Limited access but growing adoptionWidespread access

The future of the login process: Moving past passwords

Although passwords remain the dominant primary authentication method, experts can already see a shift toward password reduction. NordPass research into the average number of passwords showed that between 2024 and 2026, this number dropped from 168 to 120. This decrease was likely largely driven by increased use of single sign-on and passwordless authentication.

Passkey adoption depends on user awareness and technical accessibility. The downsides of relying solely on passwords and the risk of data breaches might push more companies to consider adding passkeys to their login roster, making single-factor passwordless authentication more mainstream. However, passwords won’t be disappearing any time soon, and 2FA will remain a reliable fallback for many systems.

Manage both passkeys and 2FA with NordPass

Although you might know NordPass best as a password manager, we’re proud to be part of the FIDO Alliance and bring easy passkey adoption to our users. Your NordPass vault can accommodate all your authentication needs — passwords, passkeys, and 2FA authentication codes. With the cross-platform passkey manager, you can store and manage passkeys when you’re browsing on your computer and phone, so you don’t have to worry about being tied to a single device. NordPass Authenticator also lets you generate and autofill one-time codes for 2FA-protected accounts. You can make your switch to passwordless authentication simpler without needing to give up on your passwords all at once.