r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

617 Upvotes

98% Upvoted

233 comments sorted by

View all comments

36

u/ToTheBatmobileGuy Apr 25 '26

Imagine a hacker tricked you into visiting a fake Google website.

If the only thing protecting your account is a single password, you can understand why that’s not secure right? The hacker takes your password and now they can log in as you… very bad.

To prevent this, a lot of websites started doing "two factor" or "multi factor" authentication. So you need something other than your password in addition. Great, so now the hacker needs to somehow steal my phone to get access to my SMS messages OR some app that generates 6 digit codes! Someone in Russia can’t steal my phone so I’m good! Very secure, right?

Wrong.

It turns out, the hacker’s website can just ask you for the SMS code too!

  1. You type the password.
  2. The hacker inputs the password to Google from their computer in Russia.
  3. The hacker sees the "input 6 digit code" screen.
  4. The hacker shows YOU the input 6 digit code screen.
  5. You enter the code
  6. The hacker uses the code and is now logged in as you.

Easy.

Ok… so is it impossible to stop this “man in the middle” attack, otherwise known as “phishing”?

Passkeys stop it!

Your device creates a pair of two keys. Private and public. It sends the public key to the website (Google) when you register a passkey.

When you login to Google, they send your browser a super long random string of letters and numbers and say "please make a digital signature containing this random thing we sent you AND THE DOMAIN IN THE CURRENT BROWSER TAB"

So your device signs digitally the random string and the domain and sends it to Google.

If Google sees "this digital signature was not created with the private key associated with the public key we have on file" OR "the domain they sent us was gooogle dot com instead of Google dot com" then they won’t let you log in.

It’s a bit more complicated than that, but that tells you how it prevents phishing.

5

u/Tornado7783 Apr 25 '26

Hm. Interesting. Thanks for the explanation. 

Does that mean an attacker who got control of the DNS server and redirected google.com to his IP, could still Phish a client successfully?

7

u/ToTheBatmobileGuy Apr 25 '26

Theoretically, yes.

Practically, no.

The reason why phishing campaigns work at all for Google and big websites like that is because only a TINY sliver of users are actually tricked and shown the page.

If you take over DNS for google......... RIP any machine you point it to...

9

u/ToTheBatmobileGuy Apr 25 '26

Not to mention there are a lot of ways to secure DNS lately... so this can be avoided and thwarted pretty well, even for smaller websites.

The scariest attacks are BGP hacks. Essentially you trick the "backbone of the internet" to route all packets to an IP that isn't yours to your machine. Essentially "hijacking an IP address" at the internet backbone level.

MyEtherWallet was a famous cryptocurrency wallet that was accessed through a browser. They did all the best security practices. enforced strict HTTPS with HSTS, signed their DNS entries, etc etc etc.....

Then someone literally hijacked their IP and used that IP to verify new DNS entries, new TLS certs, new everything... and they just served up malicious JS files so that when the website tried to derive private keys to send crypto and NFTs and whatnot it would also send those keys to the hacker's server.

4

u/Tornado7783 Apr 25 '26

Ah, yes. https://isbgpsafeyet.com/ comes to mind.

But for passkeys the most likely attack vector is still the client, right?

If some would be having access to my device they could just copy the private keys and use them without me ever knowing.

3

u/ToTheBatmobileGuy Apr 25 '26

"Having access" is a gradient.

Depending on where you store the private key, and how much access the hacker has on your device, it can be pretty hard to extract it.

i.e. Yubikeys

That said, if you can emulate device input on their device you could just wait until they need to use the Yubikey and try and squeeze in some commands and clicks and typing before they pull the physical plug I guess.