Death To One-Time Text Codes: Passkeys Are The New Hotness In MFA
The Register, Friday, December 5th, 2025
Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity.
However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.
For example, email security shop Abornormal AI documented a recent series of incidents at academic institutions where attackers were able to phish victims into not only entering their usernames and passwords but also the one-time password (OTP) they received from the schools' servers.