May 31, 2026

3FA is not really being replaced by passkeys

Authentication is becoming invisible, so where does privacy live in the picture?

Adina Pirjol

4 min read

Intro

Everyone seems to have the same prediction about authentication: passwords are dying, and meanwhile passkeys are taking over. The robot revolution probably is not about the current cybersecurity principles, back me up on this. And eventually we'll stop talking about 2FA, MFA, and 3FA altogether.

It's a compelling story, but not entirely true. Passkeys are not replacing multi-factor authentication, they're replacing passwords. The real transition happening in front of us is password-to-passkey identity and MFA-to-risk based security.

That's a much bigger shift than most people realize.

The Security Industry has been chasing more factors for 20 Years

For decades, authentication followed a simple philosophy:

$(math. function) more factors = more security.

Let me give you a timeline of how I see things:

1990s: Passwords are everywhere, your personal "something you know". Examples: Windows login, early internet services, corporate directories.

2000s: SMS codes are added. Hardware-generated tokens emerged, or you "something you have". Examples: RSA SecurID, banking tokens, enterprise VPN access.

20102015: SMS becomes mainstream, this is the golden-age of 2FA. Examples: Goodle, Facebook, banking apps. The standard spam message now has the format: "Enter de 6-digit code we just sent you."

20132020: Authenticator apps replace SMS. Examples: Google Authenticator, Microsoft Authenticator. The security industry realizes that SMS are not secure enough.

20202025: Biometrics become the new normal. Examples: FaceID, TouchID, Windows Hello. Good authentication user experience becomes enjoyable, not just useful. Passwords begin disappearing, unless securely stored in a password manager app.

2026+: Risk-based authentication era, where an automated system evaluates: device reputation, location, behavioral signals, cryptographic credentials and session risk. Instead of asking "Can you prove who you are?", the system asks: "Do we trust this session?", in order to assess whether some well-placed guardrails to trigger a braking system.

As time passed, the assumption became obvious: if one factor is good, it means three factors must be better. On the other hand, the result was a growing collection of security rituals that users learned to tolerate rather than enjoy.

Enter your password, wait for an SMS, open authenticator, approve notification, then verify email. Password forgotten? Answer recovery question.

Repeat.

The industry called this security, while long time users starting using the term "annoying" to describe it.

Passkeys change the equation

The interesting thing about passkeys is that they don't simply add another factor, they collapse several factors into a single interaction. When you unlock a passkey, multiple things happen simultaneously:

  • You possess a trusted device.
  • You verify locally with a biometric or PIN.
  • Your device proves ownership of a cryptographic credential.

From the user's perspective this feels like one click and from a security perspective it's already much closer to traditional MFA than most password-based systems ever were.

This is why passkeys feel almost magical. Benefits are obivous: security improves, friction decreases, and the combination of them is rare.

The Future isn't more factors

The future-proof version requires fewer visible factors. Think about how modern platforms increasingly evaluate trust of their users.

Instead of asking "Can you enter the correct password?", they ask:

  • Is this your phone?
  • Is this a regular location you frequent?
  • Is this a repeated behavior?
  • Does your cryptographic credential match?
  • Does this login look suspicious?

Authentication is gradually becoming less about proving identity and more about evaluating confidence, meaning that the system estimates how likely it is that you are who you claim to be.

Passkeys solve a different problem than 3FA

One of the most common misconceptions in security is that more factors automatically mean better protection. The experience and data I collected feels messier.

A passkey can eliminate entire categories of attacks that multi-factor authentication still struggles with.

Passkeys are naturally resistant to:

  • Credential stuffing
  • Password reuse
  • Phishing websites
  • Fake login pages

Meanwhile, traditional MFA can still be vulnerable to:

  • SIM swapping
  • Social engineering
  • MFA fatigue attacks
  • Push notification bombing

A well-designed passkey system can be significantly more secure than a poorly designed three-factor authentication flow, if we look at the threat model. Attackers now need to compromise: user device, his biometric/PIN unlock, device's secure enclave, potentially a passkey synchronisation provider, and the recovery process.

Identity is moving from Secrets to Cryptography

Historically, authentication was built around secrets.

Like something you know, a password, a recovery question. Some small piece of data containing personal identifiable information, such as your mother's maiden name or a favorite pet name.

Machines don't work that way though, machines trust cryptographic proof.

Increasingly, humans are moving in the same direction because the future of authentication isn't remembering password, it's proving ownership of cryptographic keys. For the first time, human authentication is starting to resemble machine authentication.

Where things get interesting

Everything we've discussed so far is still a security conversation. The next part is a privacy conversation and AI is about to make it impossible to separate the two.

Is CCTV footage Personal Data in 2026?

Under European privacy law, the answer is often yes, because it contains identity, and that's an important distinction.

A face or a license plate may be enough, but a combination of:

  • Location
  • Timestamp
  • Clothing
  • Behavior

…may be enough. The legal concept behind this isn't "named person", but "identifiable person." AI is rapidly expanding what identifiable means.

AI changes the definition of Identity

Twenty years ago, a random CCTV frame of a stranger might have been practically anonymous. Today, AI systems can:

  • Match faces
  • Estimate age
  • Infer gender
  • Recognize movement patterns

Tomorrow, those same systems may combine into a continuously updated identity graph:

  • CCTV footage
  • Social media images
  • Event photography
  • Geolocation data
  • Transaction history

What changed recently is the ability to identify a person, and I believe that's where things become fascinating.

The GDPR paradox

Consider two identical video recordings, one exists in 2005 and the other exists in 2035.

The footage is exactly the same, yet one may be effectively anonymous while the other becomes personally identifiable because AI systems can extract significantly more information from it.

The technology interpreting all the data amassed in data centers is evolving, and that creates a difficult question for regulators. When does information become personal data? When it is collected or when technology becomes capable of identifying someone from it? The answer matters far beyond security.

The next-gen Authentication question

Imagine a future where our phone contains a passkey, the smartwatch broadcasts proximity signals, the car is connected as well, and public cameras recognize your walk. Your voice is recognizable, your devices continuously authenticate each other. Authentication becomes environmentally-dependent.

The system no longer asks who you are, it gathers all available signals consistently and decides whether you are you?". That is an entirely different model of trust, and this feels existential to me.

The debate we are not ready for

Many engineers including myself instinctively believe better identification creates better security (and they're not wrong), but privacy researchers raise a different concern.

If people can be reliably identified from faces, voices, walk, behavioral patterns and location histories, then anonymous participation in society becomes increasingly difficult.

"Should we identify people?" is a question society will ask, not software security.

Passkeys may be the last Authentication method Humans actively perform

Passkeys are a transition technology, and as any other good technology, it bridges a gap, the one between the age of passwords and the age of inferred identity. The next decade won't be defined by passwords, OTP codes, or even biometrics. Systems and agents continuously collaborating and evaluating thousands of signals around us are deciding whether they trust our claimed identity.

Authentication is becoming invisible, so where does privacy live in this picture?