In 2025, most individuals store their critical data with tech giants like Microsoft, Google, Apple, Amazon, and Facebook. For example, Google Drive has over 2 billion users (Wikipedia), and Facebook stores information for more than 2.8 billion users (Meta). These accounts typically require passwords, but passwords are inherently vulnerable, leading to the adoption of multi-factor authentication (MFA).
The most common MFA method is Time-Based One-Time Password (TOTP), which generates a short-lived six-digit code derived from a shared secret and the current timestamp (RFC 6238). However, TOTP functions as a second password, meaning if the shared secret or code is compromised, access can still be granted. Therefore, TOTP faces similar security challenges as passwords and requires robust protection (Microsoft Security Blog).
Passkeys provide a better alternative through private and public key cryptography, eliminating the need for passwords. Users sign authentication challenges using their private key, while public keys, even if compromised, pose no risk since they are not meant to be hidden (FIDO Alliance).
When using Passkeys, security keys can further enhance protection. Security keys are physical devices—often USB, NFC, or Bluetooth-based—that securely store private keys and authenticate users by cryptographically signing challenges. Although optional, these devices safeguard private keys by only performing cryptographic functions without ever exposing the key itself (NIST). Unlike passwords or TOTP, Passkeys are resistant to phishing attacks because cryptographic signing can only occur when interacting with the legitimate website, making it nearly impossible for attackers to trick users into providing access.
With billions of users relying on services like Google and Facebook, the weaknesses of passwords and TOTP highlight the importance of adopting Passkeys. By transitioning to Passkeys, users gain stronger security, protection against phishing, and a more reliable method for securing sensitive data (TechCrunch).
Works Cited
- FIDO Alliance. What is FIDO? fidoalliance.org, https://fidoalliance.org/what-is-fido/.
- Meta. Facebook Reports Third Quarter 2021 Results, 2021. https://about.fb.com/news/2021/10/facebook-reports-q3-2021-results/.
- Microsoft Security Blog. The Evolution of Multi-Factor Authentication, 2022. https://www.microsoft.com/security/blog.
- National Institute of Standards and Technology (NIST). Digital Identity Guidelines: Authentication and Lifecycle Management, 2021. https://pages.nist.gov/800-63-3/sp800-63b.html.
- RFC 6238. TOTP: Time-Based One-Time Password Algorithm, IETF. https://datatracker.ietf.org/doc/html/rfc6238.
- TechCrunch. Passkeys and the Future of Secure Authentication, 2024. https://techcrunch.com/tag/passkeys/.
- Wikipedia. Google Drive, 2024. https://en.wikipedia.org/wiki/Google_Drive.