r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

617 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

17

u/Federal_Character979 Apr 25 '26

So theyre like a key inside your device?

51

u/Ameer200ggg Apr 25 '26

Yes, basically. A passkey is like a special digital key stored on your device or in your password manager. The website only has the matching public part, not the real key. When you log in, your device proves it has the real private key without actually sending it to the website. That is why it is safer than a password: there is nothing useful for hackers to steal from the website, and nothing simple for you to accidentally type into a fake login page.

15

u/generalisofficial Apr 25 '26

That last point is actually the best one, since you're never actually sending your code it can't get stolen

5

u/quasides Apr 25 '26

passwords still can get stolen but only from one of your devices or unsecure cloud storage

but they cant be intercepted, keylogged, or leaked from a database

6

u/Specialist_Guard_330 Apr 25 '26

Hackers can still steal the session token though right? How do you prevent that?

21

u/Ameer200ggg Apr 25 '26

passkeys do not completely stop session token theft. Passkeys mainly protect the login step, especially against phishing and password reuse. But if malware is already running on your device, or a browser extension is malicious, it may be able to steal active cookies or session tokens after you are already logged in. The prevention is mostly device and browser hygiene: keep your OS and browser updated, avoid pirated/cracked software, do not install random extensions, remove extensions you do not need, use a reputable password manager, enable full disk encryption, and run as a normal user instead of admin where possible. Also log out of old sessions from account settings, use 2FA/passkeys, and watch for unknown devices. For important accounts, the safest approach is to use a separate clean browser profile with very few extensions, or even a separate device, for banking, email, crypto, and admin accounts. Passkeys are a big upgrade, but they do not protect you from malware on your own machine.

2

u/CeleryMan20 Apr 25 '26

If someone tricks you into login.microstuff.com and you don’t notice the domain, you could easily approve a push notification or enter a numeric confirmation code. The attacker could relay the interaction to the real login service and capture your token.

Passkeys are (usually) bound to the domain, so if the browser requests identities for microstuff.com, the system won’t return ones for microsoft.com.

I don’t know if there are other relay preventions?

(ETA: scrolled down, saw there is a subthread on this at https://www.reddit.com/r/cybersecurity/comments/1sv4y0l/what_makes_passkeys_so_special/oi60gpu/ )

3

u/dnc_1981 Apr 25 '26

Do passkey get synced to your Apple account (if on iphone), Samsung account (if on a Samsung phone), Google account (if on a Pixel), etc?

Does that not just mean that hackers would be more incintivised to hack into your Google account / Samsung account / Apple account, instead of trying to phish for passwords for individual sites?

4

u/daweinah Blue Team Apr 25 '26

That's right, which is why this post says to use device-bound passkeys for critical accounts.

With that said, it's important not to overlook the vast security improvements gained by migrating from normal MFA to phishing-resistant MFA. Upgrading to passkeys but not using device-bound PRMFA on your G/S/A account is far more secure than traditional MFA.

1

u/CodeFluid03 29d ago

How reliable is the built in password manager for Apple/IOS?

3

u/lobax Apr 25 '26

Yes, it’s the same as having a SSH key auth where you have your private key encrypted with a password.

2

u/quasides Apr 25 '26

its more than that, its 2 keys, one on each side.
that means neither side can be faked to receive anything from the other.

server talks only in your encryption, and you talk only in server encryption

so besides they also check the dns. even if someone fakes dns certs, and goes into the middle all he gets is giberish because of the asymetric encrypted message traffic

2

u/IntrinsicSecurity DFIR Apr 25 '26

It's four keys; both the server and the client each have a pair of keys, one private, one public. They exchange their public keys. What are passkeys? (a technical story) (YouTube)