Passkeys for your app. In a snap.

Get Started

Passkeys and MFA

Multi-factor authentication, sometimes referred to as two-factor authentication (MFA and 2FA, respectively) has for years been a way to enhance security online.

What is MFA?

MFA is a way to combine different types of authentication information to increase confidence that someone is who they claim to be. For example, if someone else knows your password, an MFA requirement might mean they still need access to your mobile phone to sign in to your account.

There are three common factors:

🧠 Knowledge

Something you know

Typically, this is a password or passphrase. Maybe it's the middle name of your third grade teacher, or something else you can probably dig up on Facebook.

Please don't use or support "security questions". They are grossly insecure, despite the name.

🗝️ Possession

Something you have

Often a device, such as your mobile phone or external security key. If you've been prompted to set up Google Authenticator or a similar tool, it's this.

Unlike the keys to the lock on your front door, possession factors are designed to be copy-proof.

👁️ Inherence

Something you are

Biometric information, such as a fingerprint, faceprint, or eye scan. If you've heard of Face ID or Touch ID from Apple, they are biometrics (many other vendors offer similar functionality).

MFA vs 2FA

Multi-factor authentication is auth using more than one factor, while (surprise!) two-factor auth is always two factors. For the most part, the two terms are used interchangeably.

Note that in both cases, it's necessary to have different factors. For example, a setup that uses a password and PIN is still one-factor (but two-step) auth; functionally this is the same as having a longer password.

How do passkeys compare to MFA?

Passkeys, which are based on cryptographic key pairs, always function as a possession factor. That means passkeys can be used for a low-friction MFA experience.

If you want to add MFA support to your password-based site, passkeys are a great way to do so. They're more secure than SMS, and easier to set up and use than external apps.

But wait, there's more!

Most operating and systems offer biometric protection for passkeys. When that's not available, if configured, it will instead prompt for a system password or PIN. That means that in addition to being a strong possession factor, they can also offer two factors at the same time1.

This allows you to offer a passwordless experience without compromising security.

Best of all, this is all done inline, invisible to the user, with no added friction. They never have to switch apps, check their SMS, or remember where they left their USB key fob. This can reduce website friction by removing steps from registering and signing in.

Try passkeys today

Want to benefit from all of this without digging through binary? SnapAuth is here to help! Seamlessly improve your sign-in experience today.

Get started for free

1: The cryptographic data in a WebAuthn response indicates if this was the case with a User Verified bit. Sadly at this time, it doesn't indicate how the user was verified, but the WebAuthn working group is exploring this as an additional feature, and SnapAuth is ready to add support when that happens.