Passkeys vs. 2FA and TOTP: What are the differences?

Passkeys are the hot topic right now. This form of passwordless authentication allows you to sign in to websites and apps (that support passkey authentication) without a typical plaintext password. You authenticate with your biometric information or device passcode, and everything else happens behind the scenes, like that.

Two-factor authentication requires two separate and distinct factors — it’s not merely the step of entering a TOTP that creates true 2FA. Let’s say you store your passwords digitally — in a first-rate password manager, for example. If you want the protection of true 2FA, your one-time passwords need to come from a different device than the one that holds your account passwords.

So, passkeys or traditional 2FA? Let’s look at the differences between them, and what sets passwordless technology apart from (and above) the password-plus-TOTP combination the security industry has encouraged for years.

A tale of two differences

There are two primary differences between passkeys and traditional forms of 2FA.

The first contrast is the presence, or lack of, a password. Passwordless authentication is passwordless by definition – it’s designed to replace your passwords. Two-factor authentication is an entirely different concept. Rather than replacing something, 2FA adds a step (factor) to help strengthen the security of a password-protected account. But your traditional password remains the first factor or step in most 2FA flows.

The other notable difference is susceptibility to attack. Signing in with a passkey is relatively automatic – meaning there’s nothing to type or enter – and inherently more secure because passkeys lack additional steps and codes that might be vulnerable to theft, phishing, and interception if you’re not careful.

But passkeys and 2FA have one thing in common: both improve upon traditional password-only account protection (one-factor security).

Replayability is arguably the biggest issue with traditional plaintext passwords. Data is replayable when it can be intercepted, delayed, and reused. Passwords are considered very replayable: After an attacker steals your password once, they can use it to access the associated account (or accounts) as often as they want.

Multi-factor authentication (MFA) methods provide protection against replayability. Time-based one-time passwords are generated securely and expire after 30 seconds. The expiration eliminates the TOTP’s ability to be used again which, in turn, can help protect your accounts and data.

Where MFA adds protection to your passwords, passkeys have fundamental protection of their own.

To kill a password

The added security of MFA is core to the passkey design — it’s built right in.

When you authorize the use of a passkey with your biometric information or device passcode, you prove you own and can unlock the device that holds the passkey.

And with that, you’ve proven more than you will ever prove by signing in with a password only (one-factor security). But there’s more.

Each passkey consists of a public and private key and those components get to work next. The keys exchange information¹ and after you prove possession of the private key – the sole match for the public key stored by the website or app you want to access – you’re signed in to your account.

There’s nothing of value to lose, intercept, steal, forget, or expire because your private key never leaves your device.

These processes happen in one ultra-quick step without a password or one-time code in sight. So there’s nothing of value to lose, intercept, steal, forget, or expire because your private key never leaves your device.

The moral of the story: Passkeys have non-replayability built in without requiring additional time, effort, and risk like typical MFA methods.

Gone with the 2FA…?

Passwords will be around for some time and various methods of MFA will be right alongside them for the foreseeable future. And as we shift toward a passwordless future, there still may be a few niche scenarios that call for a strong password and second factor (2FA).

Imagine, for example, you store your passkeys in 1Password so they’re quickly and easily accessible across your devices. But you need to sign in to 1Password to use your passkeys. Beyond the account password and Secret Key combination (that’s exceptionally robust on its own), you might further protect your 1Password information by turning on 2FA and registering a hardware security key as your second factor.

Overall, passkeys address the replayability risk of plaintext passwords and mitigate the threats presented by TOTPs, which makes them intrinsically safer than both forms of authentication — combined. They’ll make traditional MFA options far less prevalent (and somewhat unnecessary) but passkeys may not make them entirely obsolete just yet — especially when you consider your most critical assets.

And that may change.

As technology advances, threats advance, and how we combat those threats has to advance just as rapidly.

Traditional forms of two-factor authentication have been helpful, and may continue to be, but hackers long ago solved any mystery the process held when they learned how to SIM swap, perform person-in-the-middle attacks, phish, and otherwise socially engineer.

Two-factor authentication has been helpful, and may continue to be.

At the moment, passkeys are relatively impenetrable and a great solution to a number of problems presented by traditional authentication methods. Will hackers find a workaround for the incredible cryptographic design of passkeys?

Maybe.

But passwordless technology will advance, too. And right now, passkeys are fantastic, just what we need, and only the beginning.

If you want to learn more about passkeys and how they’ll be supported in 1Password, check out our passkeys microsite, listen to our passwordless special on the Random but Memorable podcast, and subscribe to our new passwordless newsletter.

Megan Barker

Security Scribbler