DEV Community

Cover image for A Simple Overview of Passwords, 2FA, and Passkeys (Bite-size Article)
koshirok096
koshirok096

Posted on

A Simple Overview of Passwords, 2FA, and Passkeys (Bite-size Article)

#cybersecurity #security

Introduction

It may feel a little late to talk about this now, but—are you using Passkeys?

Over the history of the web and modern technology, several authentication methods have come and gone. If we focus only on the major ones, the mainstream progression has been Password → 2FA/MFA → Passkey. Today, Passkeys are considered the most secure option and are positioned as an official W3C standard—effectively the “new default.”

That said, many services still rely on Password-only or 2FA/MFA logins, so we live in a world where multiple authentication methods coexist.

This is a short article, but I’d like to briefly整理 the evolution of these authentication methods.

What is a Password?

A Password is, needless to say, a “secret phrase” you memorize and type in yourself.

In the early days of the web, many services relied solely on this simple authentication method. However, due to its security weaknesses, password-only authentication has gradually been phased out, especially among large platforms.

Pros:

  • Simple and easy for anyone to use

Cons:

  • Easily stolen and high-risk
  • Often reused across multiple services, leading to greater exposure
  • Data breaches on the server side are outside the user’s control and cannot be prevented by personal effort

What is 2FA (Two-Factor Authentication)?

2FA strengthens password-based logins by adding one more step for increased security.

This method is widely used today, and many people are already familiar with it. SMS codes, authenticator apps, and email verification are typical examples. By combining them, the system requires:

“You know the password” + “You can confirm the code on your device”

This two-step process significantly raises the security level.

Pros:

  • Even if your password leaks, attackers cannot easily break in

Cons:

  • More steps than password-only login
  • Not all 2FA methods are equal (e.g., SMS is relatively weak, TOTP apps are moderate, hardware keys like FIDO2 are strong)
  • Codes can still be stolen through phishing attacks

What is a Passkey?

Passkeys are promoted by major tech companies such as Apple, Google, and Microsoft, and are currently positioned as the W3C standard—the “successor” to passwords. This new authentication method has gained significant attention in recent years, especially because it eliminates the need for passwords altogether.

Your device stores a cryptographic key (a private key), and when logging in, the device automatically proves your identity using your PIN or biometric authentication (face or fingerprint).

Pros:

  • No passwords → extremely low risk of theft or data leakage
  • Fast and convenient, secured by device-level protection and biometrics

Cons:

  • Not yet supported by all services; adoption is still ongoing
  • If you lose your device, you cannot simply “remember” or recreate your key—backup and sync are essential

A Simple Comparison of the Three Methods

Category Password 2FA (MFA) Passkey
Core Mechanism Entering a memorized string Password + additional verification code Signing with a private key stored on device (no password)
Who Holds the Key? User (memory) User (memory + code delivery device) Device (private key)
Authentication Flow Send password → match check Password → SMS/app code Biometric or PIN unlocks private key for signing
Security Level Low Medium High (phishing-resistant)
Strengths Simple and widely supported More secure than passwords Fast, secure, and passwordless
Weaknesses Easily leaked or reused Extra steps; codes can be stolen Requires backup if device is lost
Main Risks Theft, reuse, data breaches Phishing via code relay Device theft + PIN exposure
Availability Works everywhere Supported by most major services Expanding but not universal yet

Conclusion

In this article, I simply整理ed my own understanding of authentication technologies, focusing only on the high-level concepts without diving too deeply into technical details. If any explanation feels incomplete, I appreciate your understanding.

When you look at all three methods side by side, Passkeys indeed offer extremely strong security—yet they are not perfect. Each authentication method from the past also had its own strengths and weaknesses. It’s interesting that even in a world with such advanced technology, we still haven’t developed a “flawless” authentication system.

Thank you for reading!

Top comments (0)