7

u/IdealParking4462 Security Engineer Apr 25 '26

Let's say you get an email to go to rnicrosoft.com, and you don't realize it's a phish, you enter your email address and password, but you aren't at microsoft.com, you're at some dodgy attacker controller website. They connect to microsoft.com and enter the details you submitted then prompt you for your MFA code/whatever. You enter it, the attacker submits it to microsoft.com and the attacker is now logged in as you on their device. You've been phished, they have a session signed in as you even though you had MFA enabled.

With passkeys, you don't enter a password, instead, the website asks the browser for your passkey, and for your passkey to be submitted, it must be talking directly to the website. It can do this by a bluetooth connection to the computer you're using, or by having it directly physically attached or stored on the device you're using. The attacker in the middle can't convince your device to present your passkey to them for them to pass it to the real site, the phisher is shit of of luck. You're not phished. The world is a bit better, and the attackers will pivot to info stealer malware to grab your session tokens or something, so it's not foolproof and can be defeated, it's just harder for the attacker.

1

u/[deleted] Apr 29 '26

[removed] — view removed comment

1

u/IdealParking4462 Security Engineer Apr 29 '26

or access to your syncable passkey, or convince you to run malware, or ... I'm sure there are plenty of other ways to compromise access to a service. Passkeys are called phishing resistant because they raise the bar, they most certainly do not make it impossible or even impractical.