PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Not Ready for Passkeys? Multi-Factor Authentication Is Still Better Than Nothing

While MFA has its vulnerabilities, especially SMS-based authentication, it's better than leaving your accounts open to devastating attacks, Trend Micro VP of Strategy Eric Skinner tells us at RSA.

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Flavio Coelho/Getty Images)

Passkeys are currently the authentication tool of choice for security pros, but any type of account protection is better than nothing, says Trend Micro VP of Strategy Eric Skinner. Yes, even SMS-based multi-factor authentication (MFA).

"Text-based SMS MFA is relatively straightforward, and almost everybody has a phone," Skinner told me at the RSA Conference in San Francisco. And while it's "technically hackable" thanks to SIM-swapping schemes, "security folks may overreact."

He pointed out that SIM-swapping requires a focus on a specific victim and a social engineering attack on the carrier. "It takes some effort."

"Luckily, a new technology is gaining ground," said Skinner. "My message is, use passkeys wherever they're available. Enterprise hasn't adopted them, but consumers have the chance."

Passkeys are FIDO2-compatible, meaning they can use common devices to authenticate and are more convenient than hardware security keys.

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Attacker-in-the-Middle

As for what passkeys and MFA guard against, Skinner pointed to a rise in what's known as "attacker-in-the-middle" attacks. "It does not require skill. The code is published, downloadable from GitHub," he said. "You can get kits."

In 2018, we covered an early version of the attack, which starts with a phishing email. Now, with the help of generative AI, "attackers are able to write much better emails" that convince people to click and log in, said Skinner. "They can be perfect."

When the fake website receives the user's credentials, it passes them along to the real site. This generates the text-based MFA message, as usual. But when the victim types in the code, the attacker captures it and uses it to log in. Skinner confirmed this would also work with an authenticator app or even with a physical token that displays a changing code.

I asked how the fake website could escape the notice of Trend Micro's antivirus or a similar product, and Skinner said the fake version runs on a server somewhere, with no presence on your local machine. "We're tired of seeing people get his with these attacks," said Skinner.

To avoid getting caught up in this yourself, we have explainers on how to set up passkeys on your Amazon, Apple, and Google accounts.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio