Introduction: Not All MFA is Created Equal

In both organizational and private applications, Multi-Factor Authentication (MFA) has established itself as the standard method for login verification. In this article, you will learn why MFA alone is no longer sufficient, how passwordless alternatives work, and how secure authentication methods are successfully implemented in healthcare and critical infrastructure (KRITIS). For a compact overview and practical recommendations on the key aspects of passwordless security in healthcare, please refer to our white paper: "The Path to a Passwordless Future in Healthcare."

Clarifying Terms: MFA vs. Passwordless Authentication

What is the difference between MFA and passwordless authentication? A passwordless login can be part of an MFA strategy. Multi-Factor Authentication (MFA) describes a mechanism that combines at least two different authentication factors from the categories of knowledge, possession, and inherence (biometrics). Many common MFA combinations still use a password as the first factor, linking it in a second step with an authenticator app, email, SMS, or other methods. MFA mechanisms reveal their primary vulnerability in the continued use of the password.

Passwordless authentication is an architectural principle recommended in current security guidelines. Instead of manually entered passwords, this fundamental principle relies on a series of other security methods such as FIDO keys, biometric features, passkeys, and more:

  • FIDO2 Security Keys & Passkeys: The key generates an asymmetric key pair. The private key remains on the device (e.g., USB stick), while the public key resides in the system. Passkeys can be stored in system keychains (iOS, Android, ChromeOS) or on hardware tokens like USB sticks or badges.
  • Biometric Authentication: Fingerprint or facial recognition serves as a local release factor. The biometric template never leaves the device.
  • Device-bound Smartcards/Badges: ID badges are well-established in healthcare and other critical infrastructure sectors. They carry a certificate or a FIDO key and allow for "tap-and-go" login.

Password-based MFA: Why the Second Factor is Not Enough

According to current BSI (Federal Office for Information Security) recommendations, passwordless procedures should replace passwords wherever services allow. In a white paper regarding the passwordless future in hospitals, Imprivata describes in detail the transition of MFA within an optimized system. Known vulnerabilities include:

  • Passwords and One-Time Codes: Attackers can intercept both the password and one-time OTP codes. In its revised Digital Identity Guidelines (SP 800-63-4), the US security agency NIST noted that authentication methods using passwords and OTP codes are vulnerable to phishing.
  • MFA Fatigue: Apps often use push notifications for MFA. Attackers bombard users with requests ("prompt bombing") until they press "Accept" out of frustration.
  • SIM Swap and Email Vulnerabilities: With SMS-based MFA, a phone number can be transferred to a new SIM card via social engineering (SIM swap). Email codes are similarly vulnerable to phishing and account takeover attacks.
  • Credential Stuffing & Brute Force: Reused passwords are traded in bulk in databases. Verizon reports that credential abuse remains the most frequent attack vector in 2025/2026.

Phishing-Resistant Authentication Explained

The key to higher security is phishing-resistant authentication. It is based on three principles:

  1. Origin Binding: The authenticator verifies if it is logging into the correct domain. FIDO and WebAuthn cryptographically bind the private key to an origin URL, making Man-in-the-Middle attacks ineffective.
  2. Cryptographic Keys & Non-Exportability: With FIDO authenticators, an asymmetric key pair is generated on the device. The private key remains within secure hardware (Secure Enclave, TPM, hardware token) and cannot be exported. NIST guidelines explicitly require a non-exportable private key for AAL3.
  3. Local User Verification: The user must authorize access to the key locally—e.g., via biometrics or a PIN.

FIDO2 and passkeys implement these principles. During registration, a key is generated. The private key remains on the device—badges are particularly popular for IAM in hospitals—and is protected by a fingerprint, facial recognition, or a device PIN. Passkeys store the key pair in the system keychain or a password wallet and can be synchronized between devices.

Common Misconceptions in Security Strategies

  • "MFA is Enough": Many security strategies are based on the assumption that the combination of a password and a second factor is sufficient. This ignores the most common attack vectors: credential stuffing and phishing.
  • "Passwordless is Just a UX Topic": In reality, the passkey architecture serves to protect against targeted attacks. FIDO2 authentication makes phishing, credential stuffing, and replay attacks technically impossible.
  • "Passwordless MFA is Overkill": With the publication of NIST SP 800-63-4, phishing-resistant authenticators have become the new standard. The BSI supports this development: in its Technical Guideline TR-03188 (Passkey Server), it demands that passkeys be "established as a common 2FA method."
  • "Employees Won't Accept Passkeys": Current surveys tell a different story. According to the FIDO Alliance, 74% of consumers are familiar with passkeys; 69% have already activated at least one. Over 38% of users activate passkeys whenever they are available. Furthermore, more than half of respondents consider passkeys to be more secure and user-friendly than passwords.

Conclusion: Why Modern Cybersecurity Must Combine MFA and Passwordless

Passwordless authentication is a necessary evolution of the MFA strategy. The DACH region is leading the way: the BSI recommends hardware-based FIDO tokens as the most secure solution. In Austria, SMS-TANs are no longer accepted in the state "ID Austria" system; FIDO security keys are used instead. These examples show that a future-proof Identity and Access Management strategy combines MFA with passwordless, phishing-resistant methods—finally making the password obsolete.