You have heard it said that passkeys are transforming the user authentication process by eliminating passwords and streamlining the user experience with resistance against phishing attacks. But can they stand alone as the only form of user authentication? Can passkeys fully replace passwords & MFA/2FA?
While passkeys are designed to reduce user friction and increase security, proper fallback methods are essential for maintaining user access, high assurance, and security. This article examines these challenges and offers best practices for passkey implementation, illustrating why passkeys really are the best method of user authentication.
Can Passkeys Fully Replace Passwords?
Yes, passkeys aim to replace passwords by offering a more secure and user-friendly experience. However, legacy systems, cross-platform access, or enterprise requirements may still require passwords in some scenarios for some users.
Scenarios Where Passwords May Still Be Required
- Transitioning to Passwordless: In most cases, organizations cannot simultaneously transition their entire user base to passwordless. It may be necessary to uplift users to passwordless in cohorts to minimize disruptions, manage risks, and ensure a smooth user experience through gradual adoption and targeted support.
Can Passkeys Be the Only Form of Authentication, and Can They Replace MFA/2FA?
Fallback methods are crucial for passkeys since not all users or devices support them. Additionally, in rear cases, passkeys can be lost or deleted by the user. Without secure recovery options, users risk permanent lockouts, making fallback methods vital for maintaining access and security.
Why Do You Need Fallback Methods for Passkeys?
It is unlikely that all users will have support for passkeys, even though 99% of users now have access to passkeys via their device or a password manager. Some devices, especially older ones, may not have device-bound support, and not all users have access to password managers for synced passkeys.
Losing access to a passkey is much less likely than losing a password, especially when passkeys are synced across devices. However, in the rare case that a user loses access to their passkey, recovering their account would be very challenging without fallback methods.
Synced passkeys reduce the risk of losing access to a passkey. Tools like iCloud Keychain and Google Password Manager sync passkeys across devices, lowering the chance of losing access to a passkey. However, users could still lose access to these managers or accidentally delete a passkey. Learn more about syncable vs device bound passkeys here.
Just like passwords or any other signaler form of multi-factor authentication (MFA), if there isn’t an alternative method to verify a user’s identity, they may find themselves locked out of their account without the help of customer support. Passkeys are no different; robust fallback methods are necessary to ensure a secure and user-friendly account recovery process.
What fallback methods should I pair with passkeys?
It is important to note that your user's account is only secure as their weakest form of authentication; for example, an account might have passkeys enabled, but if your fallback method is Email OTP, then the account is only as secure as Email OTP. Their account will have the added convenience of a passkey but not the full benefit of their security, which may be sufficient for some use cases.
Relying solely on email or mobile OTPs for account recovery may not be practical or secure enough in environments that handle sensitive personal data, operate within regulated sectors, or provide government services. To address these challenges, advanced multi-factor authentication (MFA) recovery solutions offer a higher level of security without compromising user convenience.
A standout solution is selfie-based identity verification combined with liveness detection. This approach involves users capturing images of their government-issued ID and taking a live selfie. Liveness detection ensures the person is physically present by verifying that the selfie is taken in real-time, preventing misuse through photos or stolen credentials. Depending on the technology employed, users may be asked to perform specific actions, like changing their distance from the camera or rotating their head (similar to Apple’s Face ID), to confirm they are legitimate account holders.
Here is a table that outlines various authentication types and their effectiveness against common account takeover methods employed by hackers. You'll also see a "User Convenience" column, which helps you select the strongest and most convenient authentication method as the default (passkeys). With the support, strong fallback methods ensure that attackers cannot gain access via account recovery.
Adaptive Rules and Policies: Strengthening Your Recovery Process
Additionally, adaptive rules and policies can add an extra layer of security by dynamically adjusting authentication and recovery flows based on user behavior, context, or risk signals. This intelligent approach ensures that even if a fallback method is triggered, only legitimate users can regain access to their accounts, minimizing the risk of fraud and unauthorized access.
This can bolster security for lesser forms of MFA like SMS OTP, Email OTP, and App-based OTPs, allowing for a more user-friendly user experience and reduced cost of implementing and maintaining Selfie-based identity verification combined with liveness detection.
With adaptive recovery flows, organizations can define specific rules that respond to suspicious activities or risky recovery attempts. By evaluating conditions such as IP address changes, unusual device usage, or access from restricted geolocations, the system can enforce stricter authentication steps as needed.
Example of Adaptive Rules in Action
Imagine a financial service platform that uses passkeys as the primary authentication method. A user initiates an account recovery request, claiming they lost their device. Here’s how adaptive rules and policies can prevent unauthorized access:
- Rule 1: Device Recognition Check
- If the recovery attempt is from a recognized device (previously used by the user), a magic link or app-based OTP may be sufficient for account recovery.
- Rule 2: Unrecognized Device + IP Change
- If the recovery attempt originates from an unrecognized device and an unusual IP address, the system triggers an additional MFA step, such as a biometric check or selfie-based identity verification.
- Rule 3: High-Risk Country or Multiple Failed Attempts
- If the recovery request comes from a high-risk geolocation or follows multiple failed login attempts, the platform can:
- Require the user to enter a recovery code provided during account setup.
- Send a notification to the user's email or phone, warning them of the attempt and offering a chance to block it.
- If the recovery request comes from a high-risk geolocation or follows multiple failed login attempts, the platform can:
- Rule 4: Time-of-Day Restrictions
- If the request occurs at odd hours inconsistent with the user’s previous behavior, the system could enforce delayed recovery, providing additional time for the user to report suspicious activity.
These adaptive policies help businesses stay one step ahead of attackers by only allowing recovery under tightly controlled and dynamic conditions. Even if a fallback method like OTP or recovery codes is used, the additional checks make unauthorized access much harder.
Why Adaptive Recovery Rules Matter
Attackers often exploit weak recovery flows by simulating lost credentials. Adaptive policies minimize these risks by factoring in context and behavior, making it difficult for anyone other than the legitimate user to bypass recovery checks.
With Authsignal’s no-code rules engine, businesses can easily create and modify these adaptive policies to match their specific needs, helping reduce fraud and secure customer accounts without adding unnecessary friction to the recovery process.
Integration Authsignal for Seamless Passkey Authentication with AWS Cognito, Azure AD B2C, Auth0, and Duende IdentityServer
Authsignal empowers businesses to deliver seamless passkey authentication while ensuring robust fallback solutions. Our no-code rules engine, adaptive MFA policies, and pre-built UI,Components, and SDKs offer flexible integration options, allowing organizations to customize recovery flows and enhance user experience without compromising security.
We seamlessly integrate with leading identity platforms, including AWS Cognito, Azure AD B2C, Auth0, and Duende IdentityServer, providing you with the tools to fit effortlessly into your existing ecosystem.
With expert support every step of the way, we ensure your authentication outcomes are achieved efficiently and effectively.
With Authsignal, you can:
- Enforce passkeys as the primary authentication method with minimal user friction.
- Build secure fallback solutions using biometrics, recovery codes, and adaptive MFA.
- Streamline account recovery with self-service tools and automated workflows.
By supporting the latest passwordless standards and offering intelligent fallback options, Authsignal helps businesses future-proof authentication, safeguard users, and minimize fraud.