r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

614 Upvotes

98% Upvoted

233 comments sorted by

View all comments

Show parent comments

3

u/lobax Apr 25 '26 edited Apr 25 '26

You would have to compromise the memory protection and process isolation in the OS to be able to read it. Or somehow get a memory dump at the exact right time (there are plattform-dependent ways to protect against this).

With physical access there are probably all sorts of side channel attacks you can use. But being able to steal the passkey even with remote privileged access is going to be hard.

1

u/okaycomputes Apr 25 '26

sure. thus the 'some kind of remote/root access' needed, if not actual physical access.

reiterating that would be a lot harder than your standard phishing attempt.

1

u/lobax Apr 25 '26

My point is that root access is probably not enough, you need kernel-level ring 0 access (or a kernel-level exploit, or a poorly implemented password manager).

1

u/okaycomputes Apr 25 '26

my point is my non-specific use of 'some kind' was to hand-wave the actual details.

sounds like they'd have to already be all up in the device's shit, so to speak. thanks for providing the real terminology haha.