Skip to main content

Guestline Rezlynx: Move from OTP to Passkey MFA

What is changing and why it matters for your business.

Written by Xanthe Jackson

Why we recommend moving to Passkey MFA

You may already be using Multi-Factor Authentication (MFA) with a one-time password (OTP) — a six-digit code generated by an authenticator app each time you log in. This is a solid step forward in protecting your account, and we strongly encouraged it. However, OTP has a well-known limitation: it can still be defeated by phishing.

If a member of your team is tricked into entering their username, password, and OTP on a convincing fake login page, an attacker can use those credentials in real time to gain access to your systems. The code is valid for a short window, and that is all an attacker needs. There is no technical fix for this within OTP itself — the vulnerability lies in the fact that the code is something a person types, and therefore something they can be manipulated into typing in the wrong place.

Passkeys, also called Security Key MFA, solve this problem entirely.

What is Passkey MFA?

Passkey MFA allows you to sign in using either:

  • A physical security key (such as a YubiKey, Google Titan Key, or SoloKey) that plugs into a USB port, or

  • A passkey stored on your mobile device (Android or iOS), using your fingerprint, face ID, or device PIN to confirm your identity.

When you log in, your device creates a unique cryptographic link between your account and our official sign-in page. Critically, this link will only work on the genuine login page — it cannot be replicated or triggered by a fake website. Because there is no code to type, there is nothing to hand over to an attacker, even accidentally.

The secret part of the key never leaves your device. Even if an attacker can see your screen or intercept your network traffic, they cannot obtain or copy it.

The key benefits at a glance

Phishing-resistant by design

Unlike OTP, Passkeys cannot be captured and replayed by a fake website. The authentication is bound to our real login page — it simply will not function anywhere else.

Nothing to type, nothing to lose

There is no code to read out, enter into a form, or inadvertently share. Login becomes a quick tap or touch rather than a manual process.

Faster logins for your team

Staff spend less time fumbling with phones and authenticator apps. A touch of a key or a fingerprint confirmation is all that is needed.

Works for shared environments

A physical security key can be shared across a team at a workstation without requiring individuals to have their own mobile device to hand — ideal for hotel front desk and back office settings.

Reduces risk to your business

Account compromise via phishing is one of the most common causes of data breaches in hospitality. Passkeys remove the primary attack vector.

How to make the move

The process is straightforward and can be completed in a few minutes per user.

Step 1 — Decide which passkey method suits your team

You have two options:

  • Mobile device passkey — uses an Android or iOS phone or tablet that your staff already carry. No additional hardware purchase required.

  • Physical security key — a USB device such as a YubiKey. Recommended where staff do not carry personal devices, or where a shared key at a workstation makes more sense.

Step 2 — Your admin resets the user’s current OTP MFA

As users are already enrolled in OTP, the existing MFA method must be cleared before a new one can be set up. An admin user, with user management rights, needs to reset the OTP MFA for the relevant user via the standard MFA reset process in the platform. Once reset, the user will be prompted to enrol in a new MFA method on their next login.

📌Note: Only admin users who themselves have MFA enabled can perform this action.

Step 3 — The user enrols in Passkey MFA

On their next login, the user will be prompted to choose an MFA method. They should select Passkey Key.

If using a mobile device:

  1. Select iPhone, iPad, or Android device and scan the QR code displayed on screen.

  2. Follow the prompts on the mobile device to create and confirm the passkey, using fingerprint, face ID, or PIN.

  3. Name the passkey when prompted and click Continue.

If using a physical security key:

  1. Insert the security key into the USB port when prompted.

  2. If it is new, set up a PIN for it now. If previously set up, enter the existing PIN.

  3. Touch the key when prompted.

  4. Name the key when prompted and click Continue.

Frequently Asked Questions (FAQs)

What if a staff member loses their security key or phone?

Your admin can reset the user’s MFA following the same process as Step 2. The user will then be prompted to enrol a new key or device on their next login.

Can we use a mix of OTP and passkey across our team?

Yes. You can migrate users individually, so there is no requirement to switch everyone at once. We recommend prioritising users with admin or elevated privileges first.

What if we use Trusted Browsers alongside OTP?

Passkeys can actually replace the need for Trusted Browsers in many scenarios, as a shared physical security key at a workstation achieves a similar outcome while providing stronger security. If you currently rely on Trusted Browsers, speak to us about whether passkeys might be a better fit.

Related Articles
Guestline Rezlynx: Multi-Factor Authentication (MFA) overview and FAQs
Guestline Rezlynx: Enable Multi-Factor Authentication (MFA)
Guestline Rezlynx: Log in with Multi-Factor Authentication (MFA)
Guestline: Protect your site against security threats
Guestline Rezlynx: Setup and log in using passkeys for Multi-Factor Authentication (MFA)
Did this answer your question?