Security
Passkeys are the new baseline for support tools
SMS codes are not enough. Why we made phishing-resistant passkeys and MFA mandatory across every AccessMonk account.
Dana Whitfield
May 2, 2026 · 4 min read

A remote-support account is a master key to every device it can reach. Protecting it with an SMS code — phishable, SIM-swappable — is no longer defensible.
Why passkeys
- Phishing-resistant: credentials are bound to the origin and cannot be replayed.
- No shared secret to steal from a database.
- Faster sign-in than typing a one-time code.
MFA is mandatory on every AccessMonk account, and passkeys are the default. SMS is not offered as a fallback because a fallback to a weak method is just a weak method.


