Death to one-time text codes: Passkeys are the new hotness in MFA

Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.

For example, email security shop Abornormal AI documented a recent series of incidents at academic institutions where attackers were able to phish victims into not only entering their usernames and passwords but also the one-time password (OTP) they received from the schools' servers.

Using someone's legitimate account credentials is a much more effective avenue for crims than finding a security hole to exploit. Microsoft's latest Digital Defense Report puts identity as the top attack vector.

Using MFA of any kind is ...