Do passkeys make 2FA redundant even if a password is still needed for an account?

I have many accounts for which I’ve enabled passkeys so I’m wondering if disabling 2FA would be unwise for said accounts as long as disabling the accounts’ password is not an option?

While passkeys are supposed to replace passwords+TOTP, one of my accounts with a passkey could still be easily hacked if I keep using a password along with a passkey but no TOTP, right? The way I understand it, the password alone would make me vulnerable, but I hope I’m wrong tbh.

Although many websites started implementing Passkey support most of them didn’t do it well.
The right way to implement it is to disable the password completely, when there’s an option to login with a password you should keep 2FA enabled.

But when signing in, which is more secure: a passkey or password+TOTP if I’m practically forced to keep both right now? Should I skip over passkey altogether if passwords aren’t automatically disabled for a website?

Passkey offers PIN/biometrics login convenience, as long as you can keep your Passkey device secure. But because you can still login with the password, the password + 2FA may become liabilities if there is a breach on the service provider’s side: you may have to change them if there is a breach.

Passkey is also unphishable, but you can use a password manager with browser extension to make passwords less likely to be phished. You still can unwittingly override your password manager’s behavior, though.

So in the case of having both passkey and password+2FA:

  1. use passkey for convenience if you can keep your passkey device secure.
  2. if you use password manager, use long randomly generated password to make even MD5 hash cracking unlikely
  3. use unphishable, unbreachable 2FA like FIDO2 key if possible

Some people think using password + FIDO2 key have better security, as for them, getting to both require more authentication factors, often all 3.


Thanks for all of these tips. Appreciate both of your answers a lot!

1 Like