Why Relying Solely on MFA Is No Longer Safe, and Why Passkeys are the Secure Future

By Craig King, Head of Technology, T-Tech.

“Multi Factor Authentication (MFA) enabled” is not the security standard anymore. We need to aim for phishing resistant authentication and wrap it with strong session security, device trust, and solid recovery processes, to truly protect you and your data.

Passkeys cut phishing risk and reduce friction however, you still need to protect what happens after sign-in and close the gaps in registration, recovery, and helpdesk.

What are Passkeys?

Passkeys are a more secure way to sign in to apps and websites without relying solely on passwords. They’re built on public-key cryptography, meaning your private key stays safely on your device, creating a secure “challenge” that is shared with the service you’re logging into. Because of this, there’s nothing for attackers to steal.

For individuals and organisations, passkeys offer two major benefits:

• Phishing resistance - attackers can’t capture a passkey and replay it on a fake site.
• Stronger protection against account takeover - no weak, reused or stolen passwords to exploit.

They normally consist of biometrics (fingerprint/face ID) or a device PIN.

Safety requirements have shifted…

For years the advice was simple, "turn on MFA!". This still remains good advice however, attackers now go after the whole journey, which is the sign-in page, the MFA challenge, and the session token that lives afterwards.

So, the question changes from “Do we have MFA?” to “Is our MFA phishing resistant, and are we protecting the session after sign-in?”

That’s why many organisations are moving towards Windows Hello for Business , passkeys (FIDO2/WebAuthn), FIDO2 security keys, and certificate-based authentication where it fits.

Not all MFA is equal

MFA beats having passwords alone, but plenty of common factors are still phishable.

What we are seeing is:

• Adversary in The middle (AiTM) proxies that relay the login and steal the session
• Prompt bombing and MFA fatigue
• Helpdesk social engineering for resets and method changes
• Infostealer malware grabbing browser cookies and tokens
• Compromised endpoints that give access after a legitimate sign-in

So yes, having MFA is good but, do not assume it is 100% safe.

Why passkeys change the game

Passkeys (FIDO2/WebAuthn) use public-key cryptography tied to the real website you’re logging into. The private key stays securely on your device, meaning there’s nothing for attackers to steal or replay on a fake site. That’s why passkeys are phishing resistant and block entire categories of MFA bypass attacks.

But they’re not a silver bullet. If an attacker steals an active session, compromises the device itself, or exploits a weak recovery process, a breach can still happen.

This is why the work doesn’t stop at the login phase, strong authentication must be backed by solid device security, along with session protection and secure recovery processes.

What good protection looks like…

Use stronger authentication, specifically phishing resistant methods:

• Passkeys (FIDO2/WebAuthn)
• FIDO2 security keys
• Windows Hello for Business
• Certificate based authentication for the right scenarios

Protection after sign-in

• Enforce device trust & compliance (Entra/AAD join, Intune)
• Use Conditional Access by user/app/risk/location/device state
• Block legacy authentication
• Tune session controls and limit token persistence where appropriate
• Monitor risky sign ins and anomalies that hint at token theft
• Govern app consent and review enterprise apps regularly

Tighten the operational controls

• Teach users what trusted sign-in looks like
• Harden registration & recovery (no easy backdoors)
• Strengthen helpdesk verification for password/MFA/device requests
• Keep the number of break glass accounts limited, controlled, and monitored
• Avoid weak phone-only proofing when higher assurance is needed

We have relied on “more prompts” for too long. Passkeys point to a better end state with lower friction, stronger cryptography, less phishing exposure, and a cleaner fit for Zero Trust.

The future of MFA isn’t “another code.” It’s phishing resistant authentication with serious session, device, and recovery controls around it.

If you’re interested in learning more about passkeys, and how they can protect you and your organisation, get in contact with us today.