Back to blog
Security

Passkeys are the new baseline for support tools

SMS codes are not enough. Why we made phishing-resistant passkeys and MFA mandatory across every AccessMonk account.

Dana Whitfield

May 2, 2026 · 4 min read

Passkeys are the new baseline for support tools

A remote-support account is a master key to every device it can reach. Protecting it with an SMS code — phishable, SIM-swappable — is no longer defensible.

Why passkeys

  • Phishing-resistant: credentials are bound to the origin and cannot be replayed.
  • No shared secret to steal from a database.
  • Faster sign-in than typing a one-time code.

MFA is mandatory on every AccessMonk account, and passkeys are the default. SMS is not offered as a fallback because a fallback to a weak method is just a weak method.