Skip to main content

Why Dfns uses passkeys

Dfns uses passkeys exclusively for user authentication. Passkeys are based on the FIDO2/WebAuthn standard and use public-key cryptography instead of shared secrets like passwords.

The problem with passwords and traditional 2FA

Passwords can be stolen in data breaches, guessed, or phished through fake login pages. Traditional 2FA methods (SMS codes, TOTP apps) are also phishable: attackers can create proxy sites that capture both the password and the 2FA code in real time. SMS-based 2FA is additionally vulnerable to SIM-swapping.

How passkeys work

  1. Registration: Your device generates a cryptographic key pair. The private key stays on your device and never leaves it. The public key is sent to Dfns.
  2. Authentication: Dfns sends a one-time challenge. Your device signs it with the private key. Dfns verifies the signature with the public key.
This gives you two structural security properties:
  • No shared secret. The private key is never transmitted. A server breach exposes only public keys, which cannot be reversed to derive private keys.
  • Origin binding. Keys are cryptographically bound to the domain they were created for. If you visit a phishing site on a different domain, your browser refuses to use the key. Phishing becomes impossible by design.
Additional properties:
  • Strong by design. Each passkey is a unique, cryptographically strong credential. No password reuse, no weak credentials.
  • Inherently multi-factor. Using a passkey combines “something you have” (the device) with “something you are” (biometric) or “something you know” (device PIN), in a single step.
  • Immune to credential stuffing and brute force. There are no passwords to guess or reuse across services.

Hardware security keys

Dfns supports software passkeys (stored in your device’s secure enclave, keychain, or password manager) and hardware passkeys (stored on a dedicated physical device like a YubiKey). Both are secure. For managing significant assets, we recommend hardware keys. Hardware keys provide cryptographic isolation: the private key is generated, stored, and used entirely within the device’s tamper-resistant secure element chip. It never touches your computer’s memory or storage. This matters because:
  • Physical separation. Even if your computer is fully compromised by malware, an attacker cannot extract or use the private key.
  • Physical presence required. Signing requires a physical touch on the device, preventing automated or remote attacks.
  • Strong possession factor. An attacker would need to physically obtain your hardware key and know its PIN to use it.
If your device or OS doesn’t have built-in passkey support, you can store passkeys in a password manager like 1Password, Bitwarden, or Dashlane. Enable passkey support in the extension settings.

Register a backup credential

Passkeys replace passwords entirely. There is no fallback email or SMS reset. If you lose access to your only registered credential and have no recovery key, you are locked out until an organization administrator re-enrolls you. Register at least two credentials on separate devices (for example, your laptop and a YubiKey). This takes a minute and is the simplest way to ensure you always have access to your account. See Registering a new passkey credential for a step-by-step guide, including how to register from a different device.

More information

You can read more about passkeys on the Fido Alliance pages: https://www.passkeycentral.org/introduction-to-passkeys/
Last modified on April 14, 2026