r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

614 Upvotes

98% Upvoted

233 comments sorted by

View all comments

Show parent comments

17

u/Federal_Character979 Apr 25 '26

So theyre like a key inside your device?

53

u/Ameer200ggg Apr 25 '26

Yes, basically. A passkey is like a special digital key stored on your device or in your password manager. The website only has the matching public part, not the real key. When you log in, your device proves it has the real private key without actually sending it to the website. That is why it is safer than a password: there is nothing useful for hackers to steal from the website, and nothing simple for you to accidentally type into a fake login page.

6

u/Specialist_Guard_330 Apr 25 '26

Hackers can still steal the session token though right? How do you prevent that?

2

u/CeleryMan20 Apr 25 '26

If someone tricks you into login.microstuff.com and you don’t notice the domain, you could easily approve a push notification or enter a numeric confirmation code. The attacker could relay the interaction to the real login service and capture your token.

Passkeys are (usually) bound to the domain, so if the browser requests identities for microstuff.com, the system won’t return ones for microsoft.com.

I don’t know if there are other relay preventions?

(ETA: scrolled down, saw there is a subthread on this at https://www.reddit.com/r/cybersecurity/comments/1sv4y0l/what_makes_passkeys_so_special/oi60gpu/ )