Cyber Tool Stack
All categories
Identity & AccessMFA

MFA & Passwordless Authentication

Adds a second proof of identity beyond a password — or replaces the password entirely with a fingerprint, device passkey, or security key — so a stolen password alone isn't enough for an attacker to log in as you.

A password alone is a single, stealable secret — if an attacker phishes, buys off a leaked-credential list, or guesses it, that's often all they need to log in as someone else. A second layer of proof closes that gap: after entering a password, the user confirms their identity a second way — tapping approve on their phone, using a security key, or scanning a fingerprint — something a remote attacker with just the stolen password doesn't have.

The newest version skips the password step entirely. Instead of "password plus a second factor," the device itself — a fingerprint, face scan, or small security key — becomes the only thing needed to log in, removing the password as something to steal in the first place.

The problem it solves

Passwords get phished, reused across services, and leaked in breaches at other companies that have nothing to do with the organization being attacked. Once an attacker has a valid username and password, a login screen protected by nothing else lets them straight in — no second check catches that the person logging in isn't who they claim to be.

Adding a second factor stops most of these account takeovers, since stealing a password no longer gets an attacker anywhere on its own. But not all factors are equally strong: a one-time code can still be approved by a tricked, half-attentive user, which is why phishing-resistant methods are increasingly treated as the real standard.

How it works

After a user enters (or skips) a password, the login flow pauses for a second proof: a push notification, a time-based numeric code, a fingerprint or face scan, or a security key that communicates cryptographically with the login service. Administrators set policy centrally, choosing which methods are acceptable for which apps or groups.

Modern systems also weigh context: a login from a known device might get a lighter check, while one from an unfamiliar location gets forced through a stronger "step-up" verification. Device health factors in too, so a managed laptop is trusted differently than an unknown personal one. In passwordless setups, the key or the device's biometric sensor doesn't just add a check — it replaces the password as the primary credential.

MFA vs passwordless

Multi-factor authentication still starts with a password, then adds something on top — an extra checkpoint layered on an existing weak point. Passwordless authentication removes that weak point altogether: there's no password to type, phish, reuse, or leak, since the login is built around possessing a device or key plus a biometric or PIN unlock.

Passwordless is the stronger long-term direction, since it eliminates a whole class of attacks rather than adding a hurdle to it, but rolling it out requires every user to register a compatible device or key — which is why most organizations run MFA broadly and expand passwordless coverage as comfort catches up.

Choosing one

The single biggest factor is whether a method can be phished at all — push notifications and one-time codes are much better than nothing, but a determined attacker with a fake login page can still trick a user into approving one. Security keys and passkeys close that gap: the cryptographic proof ties to the real site, not whatever page the user is looking at.

Beyond strength, weigh rollout practicality: does the organization already issue devices with biometric sensors, or would every employee need a key mailed to them? A method that's technically stronger but too cumbersome to enforce consistently often protects less of the fleet than a weaker one that's actually used everywhere.

Capability taxonomy

What buyers typically evaluate when comparing tools in this category.

Phishing-resistant factors
Supports FIDO2 security keys and passkeys that can't be relayed or phished.
Push & one-time-passcode factors
Offers mobile push approval and time-based one-time codes as second factors.
Adaptive step-up authentication
Requires stronger verification only when the login looks risky.
Biometric authentication
Uses fingerprint or face recognition built into user devices.
Device trust signals
Factors device health and enrollment status into the authentication decision.
Admin enforcement policies
Lets admins mandate MFA or passwordless methods by group, app, or risk level.

Tools in this category

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.