Security guide

Password managers, MFA, and passkeys

How unique passwords, password managers, MFA, and passkeys work together without overstating any one control.

Direct answer

Use a password manager to create and store a unique random password for every service. Add MFA where available. Prefer a passkey when the service and your recovery setup support it, because passkeys can provide stronger phishing resistance than a password alone.

Password manager

A password manager reduces the need to memorize many credentials and makes long, unique random values practical. Protect the manager with a strong master credential, secure recovery method, software updates, and MFA where supported.

MFA

MFA combines different authentication factors. A password plus another password is not MFA. Authenticator apps and security keys are generally preferable to relying only on SMS when stronger methods are available, but any recovery path must also be protected.

Passkeys

Passkeys use public-key cryptography and bind authentication to the legitimate service. They can reduce password theft and phishing risk, but users still need safe device access, synchronization, and account recovery.

A layered setup

For services without passkeys, use a unique random password stored in a manager plus MFA. For services with passkeys, register more than one safe recovery option where appropriate and review the account’s fallback methods.