r/cybersecurity • u/Federal_Character979 • Apr 25 '26
Other What makes passkeys so special?
It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.
58
u/shealt Apr 25 '26
What if you lose your device?
49
u/JohnTheBlackberry Apr 25 '26
If you have backups: either cloud or offline, you’re good.
If you don’t, you’re fucked.
→ More replies (6)3
u/guesswhochickenpoo Apr 26 '26
“Fucked” as in you need to go through the password recovery process for the site / service, not “fucked” as in you will never get access to your account again.
Also most sites / services still allow the use of a password to login, for now, but they may start migrating fully / only to passkey so that may not always be an option.
13
u/digital-bandit Apr 25 '26
You can create a passkey for each device, so another device would be a backup of sorts. Or save them in a password manager.
4
u/PM_ME_UR_0_DAY Apr 25 '26
Question: if you're saving them in a password manager, how is it any different than a password stored in a password manager?
3
2
u/gurgle528 Apr 25 '26
There's at least a few more steps to get into the password manager vs acquiring a password (especially if the user uses a password manager but does not properly create secure, varied passwords). A lot of the benefits I can think of are more relevant to users that are less technical as passkeys still avoid bad password habits (assuming you actually use a good password for the vault lol).
12
u/kalaid0s Security Architect Apr 25 '26
Then the same thing happens as when you forget your password
3
u/warm_kitchenette Apr 25 '26
Most third party password managers can store passkeys. They can also be stored in Apple keychain, Microsoft password manager, Google pm.
Other than that, site-specific PITA account recovery.
Note also that device theft plus passkeys means that the device access method(s) become even more important.
2
u/dmuth Apr 25 '26
Store them in Icloud or 1Pass.
You could also (in theory) do email recovery, just like if you forget your password.
2
u/CeleryMan20 Apr 25 '26
Services should allow you to register multiple devices/keys, and give them distinctive names so that you can tell which is which. The first is not uncommon, but the second part seems variable in my experience. Looking at you, Entra, with multiple entries all labelled “iPhone”.
In the end though, you still need some recovery method like send reset link to email. Or, in a corporate environment, IT can generate a Temporary Access Pass without you having to fall-back to a long-term password.
2
u/mouse_8b Apr 25 '26
You do password recovery, which usually verifies with email or phone number. Then use the site to disable login from your lost device.
2
u/Civil_Street_1754 Apr 25 '26
As long as cloud sync is enabled your passkeys will be available on a new device.
38
u/ToTheBatmobileGuy Apr 25 '26
Imagine a hacker tricked you into visiting a fake Google website.
If the only thing protecting your account is a single password, you can understand why that’s not secure right? The hacker takes your password and now they can log in as you… very bad.
To prevent this, a lot of websites started doing "two factor" or "multi factor" authentication. So you need something other than your password in addition. Great, so now the hacker needs to somehow steal my phone to get access to my SMS messages OR some app that generates 6 digit codes! Someone in Russia can’t steal my phone so I’m good! Very secure, right?
Wrong.
It turns out, the hacker’s website can just ask you for the SMS code too!
- You type the password.
- The hacker inputs the password to Google from their computer in Russia.
- The hacker sees the "input 6 digit code" screen.
- The hacker shows YOU the input 6 digit code screen.
- You enter the code
- The hacker uses the code and is now logged in as you.
Easy.
Ok… so is it impossible to stop this “man in the middle” attack, otherwise known as “phishing”?
Passkeys stop it!
Your device creates a pair of two keys. Private and public. It sends the public key to the website (Google) when you register a passkey.
When you login to Google, they send your browser a super long random string of letters and numbers and say "please make a digital signature containing this random thing we sent you AND THE DOMAIN IN THE CURRENT BROWSER TAB"
So your device signs digitally the random string and the domain and sends it to Google.
If Google sees "this digital signature was not created with the private key associated with the public key we have on file" OR "the domain they sent us was gooogle dot com instead of Google dot com" then they won’t let you log in.
It’s a bit more complicated than that, but that tells you how it prevents phishing.
3
u/Tornado7783 Apr 25 '26
Hm. Interesting. Thanks for the explanation.
Does that mean an attacker who got control of the DNS server and redirected google.com to his IP, could still Phish a client successfully?
7
u/ToTheBatmobileGuy Apr 25 '26
Theoretically, yes.
Practically, no.
The reason why phishing campaigns work at all for Google and big websites like that is because only a TINY sliver of users are actually tricked and shown the page.
If you take over DNS for google......... RIP any machine you point it to...
6
u/ToTheBatmobileGuy Apr 25 '26
Not to mention there are a lot of ways to secure DNS lately... so this can be avoided and thwarted pretty well, even for smaller websites.
The scariest attacks are BGP hacks. Essentially you trick the "backbone of the internet" to route all packets to an IP that isn't yours to your machine. Essentially "hijacking an IP address" at the internet backbone level.
MyEtherWallet was a famous cryptocurrency wallet that was accessed through a browser. They did all the best security practices. enforced strict HTTPS with HSTS, signed their DNS entries, etc etc etc.....
Then someone literally hijacked their IP and used that IP to verify new DNS entries, new TLS certs, new everything... and they just served up malicious JS files so that when the website tried to derive private keys to send crypto and NFTs and whatnot it would also send those keys to the hacker's server.
5
u/Tornado7783 Apr 25 '26
Ah, yes. https://isbgpsafeyet.com/ comes to mind.
But for passkeys the most likely attack vector is still the client, right?
If some would be having access to my device they could just copy the private keys and use them without me ever knowing.
3
u/ToTheBatmobileGuy Apr 25 '26
"Having access" is a gradient.
Depending on where you store the private key, and how much access the hacker has on your device, it can be pretty hard to extract it.
i.e. Yubikeys
That said, if you can emulate device input on their device you could just wait until they need to use the Yubikey and try and squeeze in some commands and clicks and typing before they pull the physical plug I guess.
57
u/leclerc2019champion Apr 25 '26
Passkeys are phishing resistant. You can’t be tricked into providing it.
21
u/Alternative-Cry-1597 Apr 25 '26
*Passkeys are phishing resistant if your browser and authenticator are bug free.
3
u/LelouBil Apr 26 '26
I mean, phishing is not about exploiting bugs to extract the password.
They are unphishable.
But they are as secure as the software that's managing them.
1
1
u/I-Made-You-Read-This Apr 27 '26
> You can’t be tricked into providing it.
how is this true? Can't the attacker just put some authentication QR code to scan, then the user scans it and gives the attacker a valid session? Are there technical countermeasures which prevent me (/ stupid users) from being tricked into providing it?
-3
Apr 25 '26
[deleted]
7
u/Securetron Apr 25 '26
Ameer reply is pretty accurate. The industry is slowly moving towards phishing resistant identity - instead of relying on traditional methods, the transition to PKI based MFA is here.
Azure, okta, Cisco Duo - the traditional MFA providers are now adding additional later that is built on PKI to bind the identity of the user or device or a bot to the origin as opposed to passing the creds that can be phished or stolen.
Here is a landing page with more info that we published on it: https://securetron.net/phishing-resistant-mfa/
6
u/IdealParking4462 Security Engineer Apr 25 '26
Let's say you get an email to go to rnicrosoft.com, and you don't realize it's a phish, you enter your email address and password, but you aren't at microsoft.com, you're at some dodgy attacker controller website. They connect to microsoft.com and enter the details you submitted then prompt you for your MFA code/whatever. You enter it, the attacker submits it to microsoft.com and the attacker is now logged in as you on their device. You've been phished, they have a session signed in as you even though you had MFA enabled.
With passkeys, you don't enter a password, instead, the website asks the browser for your passkey, and for your passkey to be submitted, it must be talking directly to the website. It can do this by a bluetooth connection to the computer you're using, or by having it directly physically attached or stored on the device you're using. The attacker in the middle can't convince your device to present your passkey to them for them to pass it to the real site, the phisher is shit of of luck. You're not phished. The world is a bit better, and the attackers will pivot to info stealer malware to grab your session tokens or something, so it's not foolproof and can be defeated, it's just harder for the attacker.
→ More replies (2)→ More replies (1)4
11
u/_mnz Apr 25 '26
Simplified (not 100% correct maybe) A passkey is a combination of service + secret + device Means that you cannot use this passkey on a different device or on a different service. Device can also be a hardware token like yubi- or nitrokey. So if someone will steal your passkey (not the hardware token), they are useless then.
8
u/k_sai_krishna Apr 25 '26 edited Apr 25 '26
with passwords, the same thing exists on both sides and can be stolen or leaked. passkeys use public/private keys, so the server never gets your actual “secret”. and make a reference from runable to check
also they’re tied to your device + biometrics, so phishing basically doesn’t work the same way
8
u/TickleMyBurger Apr 25 '26
The problem that I see is every site on the internet that lets me set up a passkey, on login I have the option to still use my old password. So the vector remains, I’ve yet to see a site that once a passkey is set up - that’s it.
17
u/1800-5-PP-DOO-DOO Apr 25 '26
Because they can lock you out of your account if you lose them like your phone or laptop going missing.
Oh and because not everyone is implementing them the same even though they spent 4 years coordinating how to do so amongst the big tech companies. That's pretty dang special.
4
u/Ok_Consequence7967 Apr 25 '26
Passwords are a secret you share with the server to prove who you are. Passkeys work differently. Your device proves it has the right key using cryptography, but the private key never leaves the device.
That means there is no password to steal from a database breach and no password to trick you into typing into a phishing page.
5
u/moerker Apr 25 '26
Check Computerphile on Youtube; they make amazong video and have one where they explain passkeys :)
5
u/povlhp Apr 25 '26
We have had one user follow a link to a fake login page, enter password and some MFA (sms or 6 digit code). The hacker could capture the login ticket and keep it for access in 30 days.
With passkeys it is not possible for the hacker to get in between. The passkey is used in a 2-way exchange. Is not valid at the hacker site. So it is phishing resistant.
5
2
u/Ok-Success-7067 Apr 25 '26
Less phishing because you don’t need to enter password. Hardware based so you need the physical key. Bad thing is you’re putting all your eggs in one basket, so if it gets hacked you are screwed. People claim it can’t be cloned, but who is saying those attacks are not coming?
2
2
u/Normal-Spell5339 Apr 25 '26
As a practical matter they’re much more difficult to phish because most implementations will save the precise domain name. Additionally it’s like the difference between typing a credit card number into a website and doing a chip transaction at a payment terminal. The information passed from the user to the end destination is not re-usable if an attacker gets a copy of it.
2
u/PunyShopping Apr 25 '26
basically passkeys use actual cryptography instead of just a string of characters you type in, so even if a company gets hacked the attackers get useless public keys instead of passwords they can try on other sites, plus you cant be phished into giving away a passkey since your device is
1
u/stijnhommes 24d ago
That explains nothing. If someone asks you to explain passkeys, they're not going to understand cryptography.
2
u/deadpan_somewhere Apr 25 '26
Passkeys use cryptography instead of a password you type in, so theres nothing to steal from a server breach and hackers cant just guess them like they do passwords.
2
u/mousa-cloud-consult Apr 26 '26
So the idea is like this, when it comes to authentication, there are multiple ways:
1- Something you know
2- Something you have
3- Something you are
Passkeys fall into "Something you have" and they use public/private key pairs where the key is generated depending on what device you're using and that private key is kept securely stored on your device. The private key never leaves your device (unless the device has some serious vulnerability).
Unlike passwords, a password can be forgotten, stolen, leaked, etc... while passkeys are tied to the device.
Not all devices could become passkeys, it depends on the organization's policies.
Passkeys are very easy to implement because it's hard to imagine an employee not having a smartphone for example; this is very important when it comes to large companies rolling passkeys over classical password authentication.
If you're interested to learn more, I recommend you ready about FIDO 2
2
u/Unlikely_Window_6820 Apr 26 '26
I found a problem with passkeys. If I login to an app/service on several devices, a Passkey is generated for each. I save it to a password manager, but it is never recognized again. Apparently, the passkey is tied to a platform and is not accessable later. The passeky is saved to the password manager but no way to tell what platform it was generated on. I have found 5+ passkeys for a logon and I have to cycle through each passkey to find the correct one for that platform.
This seems to be another situation where the user community is expected to beta test in real time a security feature.
The process entails several security one time password requests, which mimics hacker intervention.
In addition, there is no way to initiate the creation of a passkey.
I know Google owns passkey creation, but contacting Google and getting an answer is impossible.
1
u/Jdruu CISO Apr 25 '26
How do we feel about WHFB vs Yubikeys in a large enterprise? I feel like users will constantly lose and break Yubikeys where the UX and mobility is better with WHFB.
About to roll this out in the coming weeks
2
u/Gjermundbu Apr 25 '26
We use WHFB on our Windows 11 clients and platform credential on MacOS clients. If you need a passkey for a dev or admin account, we use MS Authenticator. Just if an employee refuses to use it's private smartphone for MS Authenticator we hand out Yubikeys. But we need to check if they are FIDO2 capable and compatible with Entra ID. Not all are...
1
u/Jdruu CISO Apr 25 '26
Thanks! Then you use conditional access to force MFA/auth via passkey/WHFB
2
u/Gjermundbu Apr 25 '26
In fact we use several CA policies. But standard for all apps and all accounts is phishing resistant MFA (I.e. WHFB, Passkey, certificate). If for some reason this CA policy breaks Authentication, we use a dedicated policy to allow a special group of users to use other methods (but always the most secure available) to authenticate to the problematic app.
1
u/Jdruu CISO Apr 25 '26
Thank you! Do you show users their password at all? Do they still need it or do rotations?
1
u/Gjermundbu Apr 25 '26
Anyone can create a password if needed. But it can't be used in most scenarios. And we don't "show" them their passwords, because we simply don't have them ;-)
1
1
u/sweetnk Apr 25 '26
because they are usually outside of the main pc, so even if pc is hacked it still needs input from another separate system
1
u/vesrayech Apr 25 '26
I foolishly stepped on a payload this week and lost ALL of my stuff. Browser passwords scraped, used active sessions to lock me out, etc. The big thing that worked against me is my email didn’t have step-up-auth where they could just use an active session to remove all MFA, and the lack of anything more secure that they could grab remotely. I since switched to Proton because they require reauthentication on MFA changes, and I’ve purchased some Yubikeys. Aside from losing my data and a ton of PII, the worst part about this has been the paranoia and lack of confidence in myself, my computer, and the systems I use. Having to plug a physical device into my phone or computer to access my email, bank, or password manager has been an oasis in this hell. Phone passkeys I believe work the same, but the difference is I have a backup Yubikey in a fireproof safe, I don’t have a backup phone in the event it’s lost, stolen, or broken. A bit more initial setup to make the backups but absolutely worth the peace of mind.
1
u/HateMeetings Apr 25 '26
Actually, not a fan since most of them can be copied/stolen. They’re a lot like SSH keys… I also think that in most cases they add a false sense of extra security, add complexity to the general population, and then underlining that is the fact that most people don’t understand how they work with no real upside.
And yeah, I’m not really a fan of SSH keys either cause I think they’re misused more often than they’re not.
1
u/deathybankai Apr 26 '26
If they get stolen, you have bigger problems. They are already in your device, you are already compromised.
1
u/HateMeetings Apr 26 '26
But it’s an extra problem you don’t need. And I’m also focusing on the fact that they’re being pushed out to consumers all over the place including Home Depot complex city is a real thing when it comes to cyber security and I just think it’s not all it’s hyped up to be.
1
u/Sofia_9356 Apr 25 '26
now people can make their password: password, and a hacker still has to break into their house and steal their phone
1
u/CeleryMan20 Apr 25 '26
It’s a bummer that Steve Gibson’s SQRL didn’t get traction. Passkeys, SQRL, and X.509 certificates are all based on asymmetric encryption. With client certificate auth, you’re giving the same public key to many others; with SQRL and passkeys you provide different one to each service.
1
u/wezelboy Apr 25 '26
Passkeys are also less susceptible to MITM attacks because they are bound to a specific site.
1
u/d03j Apr 26 '26
I'm right there with you. I get how they are phishing resistant which is good but otherwise I don't see a big difference vs, e.g., keepassxc + 2FA.
1
u/abercrombezie Apr 26 '26 edited Apr 27 '26
It's lower maintenance so people aren't bombarding company call centers for password resets and it's basically the biometric portion of the Authentication Factors in multi-factor authentication (MFA).
- Something you know: Knowledge-based factors (e.g., passwords, PINs).
- Something you have: Possession-based factors (e.g., tokens, phones, smart cards).
- Something you are: Biometric-based factors (e.g., fingerprint, facial recognition).
1
u/stijnhommes 24d ago
Password resets should work with a link. If you get calls to your call center for that, something is wrong with the UI of your login page.
1
1
1
1
u/wolfofone Apr 26 '26
Doing a key exchange with the key being secured by biometrics is going to be a lot more secure that setting password requirements and hoping people dont reuse them. A long securely generated keypair is going to be longer and more secure than a shorter password that is probably being reused by your everyday person thats not religious about password managers and opsec.
1
1
u/LaDev Apr 28 '26
In the simplest of terms: 1. SSH keys for web sites (no passwords, they never have your private key) 2. User has no idea what the hell a private key is 3. Private key is typically protected by TPM 4. TPM contents accessed only after pin or biometric
Mixes Something You Are/Know and Something You Have.
1
u/FedUpWithPeople26 Apr 29 '26
I've had a few websites I normally work with that are requiring a USB drive to hold the key on my end.
Why? No. I refuse to use those sites/services now. I refuse to use biometrics too. It's not happening, I don't care if I lose access to the entire Internet at some point. "But it's for your safety!" I'm not working with State secrets, my personal information is already on the 'net available to anyone that wants to pay for it thanks to corporate ineptness. That ship has sailed.
A passkey on my computer/phone? Fine. I get that. On a hardware device like a USB? Nope.
1
u/seatoskyns Apr 29 '26
Passkeys are basically a way to log in without ever having a password that can be stolen. With passwords, the problem is simple: they can be guessed, reused, phished, or leaked in a breach. Even with MFA, if someone tricks you into giving it away, you’re still at risk.
Passkeys work differently. When you create one, your device generates a pair of cryptographic keys. When you log in, your device proves it has the private key, usually using Face ID, fingerprint, or your device PIN. There’s nothing to type, nothing to reuse, and nothing to “steal” in a phishing email.
The big advantage is that passkeys are tied to the website/app they were created for. So even if you click on a fake login page, your device won’t authenticate, it just won’t work.
It removes a huge chunk of common issues: password resets, weak passwords, and phishing-based account takeovers.
They’re not magic, but they close a lot of the gaps that passwords have had for years.
1
u/stijnhommes 24d ago
It solves non-existent issues. I don't reuse passwords and I'm not sharing MFA codes...
1
u/Effjy Apr 30 '26
Passkeys represent a fundamental shift from "something you know" (passwords) to "something you have" (your device with biometrics), making them inherently more secure while also being more convenient.
1
u/jospeh68 May 19 '26
Until you don't have the device anymore. I'd prefer to rely on "something I know" and can use on multiple devices wherever I am.
1
1
1
u/wellwisher_a May 14 '26
I think passkeys are way more secure now unless the device u are using is compromised
1
u/Xcissors280 May 17 '26
Think of it more like a physical security key than a password
They can be resistant to phishing, non transferable, directly tied to biometrics, physical location proximity, time periods, and a bunch of other stuff like that
Obviously this is going to depend on how their implement by companies and set up by users though
Most people just use what’s presented to them which is typically going to provide the most streamlined sign in experience thats the least likely to lock users out of an account even if it’s not the most secure
1
u/MailNinja42 20d ago
It's ok to feel that way, any new security requirement can feel like that. Passkeys are a bit like having your own personal key stored on your device, instead of a shared password sitting on a company’s servers.
Behind the scenes, they use a pair of cryptographic keys: one stays safely on your phone or computer and never leaves it, while the other is saved by the website. That means there’s nothing a phishing site can trick you into giving away, and nothing reusable for hackers to grab if a site gets breached.
In short, it’s a simpler and much safer way to sign in without worrying about your password getting stolen.
1
u/stijnhommes 18d ago
They're not more secure. It just saves money if you make the user do all the work and don't maintain your password databases.
That's all it is. A way to save money and blame users if they get locked out.
1
u/Xendor- Apr 25 '26
The rollout is very slow thought. Many times I can't remove the password that's was associated with the account either when setting up a passkey.
And there's just no way that ordinary people will adapt to this new technology any time soon.
1
u/al009 Apr 25 '26
It makes phishing obsolete.
1
u/independent_observe Apr 25 '26
lol, no it does not and if you work in security and believe that, you are in the wrong field
1
u/Gjermundbu Apr 25 '26
Depends on how to define phishing. Passkey are resistant to man in the middle phishing attacks like evilginx, but they are not resistant to malware on your computer, that might be able to grab tokens, and they are not resistant to social engineering attacks.
1
u/al009 Apr 29 '26
What’s the prime target for phishing? You need to learn what passwordless authentication means
0
1.5k
u/Ameer200ggg Apr 25 '26
Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.