A Simple Overview of Passwords, 2FA, and Passkeys (Bite-size Article)
Source: Dev.to
Introduction
It may feel a little late to talk about this now, but—are you using Passkeys?
Over the history of the web and modern technology, several authentication methods have come and gone. If we focus only on the major ones, the mainstream progression has been:
Password → 2FA/MFA → Passkey
Today, Passkeys are considered the most secure option and are positioned as an official W3C standard—effectively the “new default.”
That said, many services still rely on password‑only or 2FA/MFA logins, so we live in a world where multiple authentication methods coexist.
This is a short article, but I’d like to briefly 整理 the evolution of these authentication methods.
What is a Password?
A Password is, needless to say, a “secret phrase” you memorize and type in yourself.
In the early days of the web, many services relied solely on this simple authentication method. However, due to its security weaknesses, password‑only authentication has gradually been phased out, especially among large platforms.
Pros
- Simple and easy for anyone to use
Cons
- Easily stolen and high‑risk
- Often reused across multiple services, leading to greater exposure
- Data breaches on the server side are outside the user’s control and cannot be prevented by personal effort
What is 2FA (Two‑Factor Authentication)?
2FA strengthens password‑based logins by adding one more step for increased security.
This method is widely used today, and many people are already familiar with it. SMS codes, authenticator apps, and email verification are typical examples. By combining them, the system requires:
“You know the password” + “You can confirm the code on your device.”
This two‑step process significantly raises the security level.
Pros
- Even if your password leaks, attackers cannot easily break in
Cons
- More steps than password‑only login
- Not all 2FA methods are equal (e.g., SMS is relatively weak, TOTP apps are moderate, hardware keys like FIDO2 are strong)
- Codes can still be stolen through phishing attacks
What is a Passkey?
Passkeys are promoted by major tech companies such as Apple, Google, and Microsoft, and are currently positioned as the W3C standard—the “successor” to passwords. This new authentication method has gained significant attention in recent years, especially because it eliminates the need for passwords altogether.
Your device stores a cryptographic key (a private key), and when logging in, the device automatically proves your identity using your PIN or biometric authentication (face or fingerprint).
Pros
- No passwords → extremely low risk of theft or data leakage
- Fast and convenient, secured by device‑level protection and biometrics
Cons
- Not yet supported by all services; adoption is still ongoing
- If you lose your device, you cannot simply “remember” or recreate your key—backup and sync are essential
A Simple Comparison of the Three Methods
| Category | Password | 2FA (MFA) | Passkey |
|---|---|---|---|
| Core Mechanism | Entering a memorized string | Password + additional verification code | Signing with a private key stored on device (no password) |
| Who Holds the Key? | User (memory) | User (memory + code‑delivery device) | Device (private key) |
| Authentication Flow | Send password → match check | Password → SMS/app code | Biometric or PIN unlocks private key for signing |
| Security Level | Low | Medium | High (phishing‑resistant) |
| Strengths | Simple and widely supported | More secure than passwords | Fast, secure, and passwordless |
| Weaknesses | Easily leaked or reused | Extra steps; codes can be stolen | Requires backup if device is lost |
| Main Risks | Theft, reuse, data breaches | Phishing via code relay | Device theft + PIN exposure |
| Availability | Works everywhere | Supported by most major services | Expanding but not universal yet |
Conclusion
In this article, I simply 整理ed my own understanding of authentication technologies, focusing only on the high‑level concepts without diving too deeply into technical details. If any explanation feels incomplete, I appreciate your understanding.
When you look at all three methods side by side, Passkeys indeed offer extremely strong security—yet they are not perfect. Each authentication method from the past also had its own strengths and weaknesses. It’s interesting that even in a world with such advanced technology, we still haven’t developed a “flawless” authentication system.
Thank you for reading!