---
url: 'https://www.corbado.com/blog/passkeys-phishing-resistant'
title: 'Passkeys Phishing: Why Passkeys are Phishing-Resistant'
description: 'Learn why passkeys offer phishing-resistant security, preventing data breaches and credential stuffing by eliminating traditional vulnerabilities.'
lang: 'en'
author: 'Vincent Delitz'
date: '2024-05-20T14:20:30.334Z'
lastModified: '2026-03-25T10:42:43.915Z'
keywords: 'phishing-resistant, phishing-resistance'
category: 'Passkeys Strategy'
---

# Passkeys Phishing: Why Passkeys are Phishing-Resistant

## Key Facts

- **Origin binding** prevents passkey use on fake sites: the private key signs only the
  legitimate Relying Party ID, making phishing technically impossible even if a user
  tries.
- **Stolen credentials** caused 50% of successful breaches in 2022 per the Verizon DBIR,
  while over 13 billion leaked passwords circulate on the darknet.
- Phishing attacks surged **58.2% in 2023** versus 2022, with finance and insurance
  absorbing 27.8% of all attacks, a 393% year-over-year increase.
- Unlike passwords or SMS OTPs, **private keys** never leave the device's secure enclave,
  eliminating shared secrets that phishers can intercept or steal.
- **NIST recognizes synced passkeys as phishing-resistant**, placing them alongside FIDO2
  security keys and smart cards as the only fully phishing-resistant authentication
  methods.

## 1. Introduction: Passkeys & Phishing

Almost no week passes without news of a major [data breach](https://www.corbado.com/glossary/data-breach). What
most of these data breaches have in common is that they are often caused by a rather
simple cyber-attack: [phishing](https://www.corbado.com/glossary/phishing), where attackers trick individuals
into revealing sensitive information.

That's why secure user authentication is more critical than ever. Traditional methods,
such as passwords and SMS-based
[two-factor authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security)
([2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security)), are increasingly vulnerable to sophisticated
cyberattacks. Moreover, leaked credentials from data breaches are massive, with over 13
billion of leaked passwords available on the darknet. Passkeys, based on the WebAuthn
standard, offer a robust defense against [phishing](https://www.corbado.com/glossary/phishing) and
[credential stuffing](https://www.corbado.com/glossary/credential-stuffing). This blog posts focuses on the
relationship between passkeys and [phishing](https://www.corbado.com/glossary/phishing), and answers the
following questions:

- What’s phishing and what types of phishing do exist?
- How vulnerable are different authentication methods to phishing?
- Are passkeys phishing-resistant?

## 2. What’s Phishing?

Phishing is a type of social engineering attack designed to **trick victims into
disclosing confidential information**. Cybercriminals often send links to fake websites
that appear legitimate, urging victims to click on them. These counterfeit websites are
crafted to steal sensitive data. For example, a fake website might prompt a victim to
enter their login credentials for what looks like a legitimate company site. However, by
doing so, the victim inadvertently gives their login information to the cybercriminal. The
attacker can then **use these credentials to access the victim’s actual accounts**. Often
the attacker knows that the victim is a user of service. Either because it’s very likely
as it’s a service that many people use (e.g. Amazon, DHL) or the account information has
been disclosed in a different way (e.g. you can conclude from an IBAN at which bank a user
has an account).

There are various types of [phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed), each
targeting different channels and employing unique tactics:

### 2.1 What’s Email Phishing?

Email phishing is when fraudulent emails that appear to come from legitimate sources are
designed to trick recipients into revealing personal information or clicking on malicious
links.

![passkeys paypal mail phishing](https://www.corbado.com/website-assets/paypal_mail_phishing_956ca18bbc.jpg)_Taken
from
[https://www.phishing.org/phishing-examples](https://www.phishing.org/phishing-examples)_

### 2.2 What’s Spear Phishing?

[Spear phishing](https://www.corbado.com/glossary/spear-phishing) is a more targeted form of phishing where
attackers personalize emails to a specific individual or organization, making the scam
more convincing.

![passkeys spear phishing](https://www.corbado.com/website-assets/spear_phishing_a62d8a0f66.jpeg)_Taken from
[https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing](https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing)_

### 2.3 What’s Whaling?

Whaling is a type of [spear phishing](https://www.corbado.com/glossary/spear-phishing) aimed at high-profile
targets such as executives or senior managers. It often involves fake emails from trusted
sources within the organization.

![passkeys phishing whaling](https://www.corbado.com/website-assets/whaling_72cf1028ae.jpeg)_Taken from
[https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing](https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing)_

### 2.4 What’s Smishing (SMS Phishing)?

Smishing (SMS phishing) is a phishing attack conducted through SMS text messages, which
may contain malicious links or requests for personal information.

![passkeys netflix smishing](https://www.corbado.com/website-assets/netflix_smishing_e1036f9d8a.jpg)_Taken from
[https://www.devfuzion.com/smishing-what-you-need-to-know-about-text-scams](https://www.devfuzion.com/smishing-what-you-need-to-know-about-text-scams)_

### 2.5 What’s Vishing (Voice Phishing)?

[Vishing](https://www.corbado.com/glossary/vishing) (voice phishing) is a phishing attack conducted over the
phone, where attackers impersonate legitimate entities to extract personal information or
financial details.

### 2.6 What’s Clone Phishing?

Clone phishing involves duplicating a legitimate email that the victim has received in the
past, then resending it with malicious links or attachments.

![passkeys clone phishing](https://www.corbado.com/website-assets/clone_phishing_5f5164248f.png)_Taken from
[https://uk.norton.com/blog/online-scams/clone-phishing](https://uk.norton.com/blog/online-scams/clone-phishing)_

### 2.7 What’s Pharming?

Pharming redirects users from legitimate websites to fraudulent ones without their
knowledge, often by exploiting [vulnerabilities](https://www.corbado.com/glossary/vulnerability) in DNS (Domain
Name System) settings.

![passkeys phishing pharming](https://www.corbado.com/website-assets/pharming_41d929727d.png)_Taken from
[https://www.valimail.com/guide-to-phishing/phishing-vs-pharming](https://www.valimail.com/guide-to-phishing/phishing-vs-pharming)_

### 2.8 What’s Man-in-the-Middle Phishing?

Man-in-the-middle phishing is when attackers intercept and modify communications between
two parties without their knowledge, often to steal sensitive information or credentials.

### 2.9 What’s Social Media Phishing?

Social media phishing involves [phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed) that
occur on social media platforms, where attackers create fake profiles or send direct
messages to trick users into revealing personal information. Brands can prevent this by
adopting strong measures to
[stop online impersonation](https://www.spikerz.com/impersonators).

![passkeys social media phishing](https://www.corbado.com/website-assets/social_media_phishing_df4f2a1a21.png)_Taken
from
[https://www.proofpoint.com/us/threat-insight/post/fraudulent-social-media-accounts-continue-phish-banking-credentials](https://www.proofpoint.com/us/threat-insight/post/fraudulent-social-media-accounts-continue-phish-banking-credentials)_

### 2.10 What’s Malvertising?

Malvertising uses malicious online advertisements to direct users to phishing sites or
deliver [malware](https://www.corbado.com/glossary/malware). This can damage your system, make your computer
unstable, or even cause it to act on its own - for example, moving the
[cursor](https://macpaw.com/how-to/mac-cursor-moving-on-its-own) without your input.

![passkeys phishing malvertising](https://www.corbado.com/website-assets/malvertising_7f04d09a54.png)_Taken from
[https://www.geeksforgeeks.org/what-is-malvertising](https://www.geeksforgeeks.org/what-is-malvertising)_

### 2.11 What’s Search Engine Phishing?

Search engine phishing is when attackers create fake websites that appear in search engine
results, luring users to visit and enter sensitive information.

![search engine phishing](https://www.corbado.com/website-assets/search_engine_phishing_91b206ce2d.png)_Taken
from
[https://www.keepersecurity.com/blog/2023/04/12/what-is-search-engine-phishing](https://www.keepersecurity.com/blog/2023/04/12/what-is-search-engine-phishing)_

### 2.12 What’s Pop-Up Phishing?

Pop-up phishing uses pop-up windows on legitimate websites to trick users into entering
personal information or downloading [malware](https://www.corbado.com/glossary/malware).

## 3. The Vulnerabilities of Traditional Authentication Methods

Traditional authentication methods, such as passwords and SMS-based
[two-factor authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security)
([2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security)) are widely used nowadays. However, these methods
(and more – see below) are increasingly vulnerable to various
[phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed). Cybercriminals
[exploit](https://www.corbado.com/glossary/exploit) weaknesses in these systems, often with alarming success.

Here’s an overview of authentication methods and their phishing-resistance.

| **Authentication method**             | **Phishing-Resistant** | **Explanation**                                                                                            |
| ------------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------- |
| Password                              | ❌                     | Passwords can be easily phished through fake websites and social engineering.                              |
| SMS OTP                               | ❌                     | SMS OTPs can be intercepted or phished through fake websites and SIM swapping.                             |
| Email OTP                             | ❌                     | Email OTPs can be phished by tricking users into entering codes on malicious sites.                        |
| Email magic link                      | ❌                     | Email magic links can be phished by intercepting the link through email compromise.                        |
| Social logins (e.g. Google, Facebook) | ❌                     | Social logins can be phished by tricking users to log in via fake OAuth prompts.                           |
| SSO                                   | ✅/❌                  | SSO can be phishing-resistant if implemented with strong authentication methods like FIDO2 or smart cards. |
| TOTP (e.g. Google Authenticator)      | ❌                     | TOTPs can be phished if the attacker tricks the user into providing the code.                              |
| Push Notification (e.g. Authy, Duo)   | ❌                     | Push notifications can be phished through fake prompts or social engineering.                              |
| Passkey                               | ✅                     | Passkeys use public-key cryptography and are bound to the origin, preventing phishing.                     |
| FIDO2 Security Key                    | ✅                     | FIDO2 security keys use origin-bound keys and challenge-response, making them phishing-resistant.          |
| Smart Card                            | ✅                     | Smart cards use secure elements and are resistant to phishing.                                             |

Phishing remains a significant threat. According to the
[Zscaler ThreatLabzs 2024 Phishing Report](https://www.zscaler.de/resources/industry-reports/threatlabz-phishing-report-2024.pdf):

- Phishing attacks surged by 58.2% in 2023, compared to 2022, reflecting the growing
  sophistication and persistence of threat actors.
- [Vishing](https://www.corbado.com/glossary/vishing) (voice phishing) and deepfake phishing attacks are on the
  rise as attackers leverage generative AI to amplify social engineering tactics.
- The US, UK, India, Canada, and Germany were the top five countries targeted by phishing
  attacks.
- The finance and [insurance](https://www.corbado.com/passkeys-for-insurance) industry faced 27.8% of overall
  phishing attacks, the highest concentration among industries and a staggering 393%
  year-over-year increase. Manufacturing followed closely behind at 21%.

## 4. Why is phishing so a big problem today?

In 2024, phishing is still such a big problem because it targets the most vulnerable link
in the security chain: humans. Despite advancements in cybersecurity technology, the human
element remains susceptible to manipulation and error. Here’s why phishing is such a
pervasive issue:

### 4.1 Humans are a Vulnerability

Despite advancements in [cybersecurity tools](https://softwarefinder.com/cybersecurity),
humans are often the weakest link. Cybercriminals [exploit](https://www.corbado.com/glossary/exploit) this by
using social engineering techniques to trick individuals into revealing sensitive
information. This is not just a technical challenge but a human one, requiring effective
communication, advice, and mentoring within organizations.

### 4.2 Phishing Mistakes are Inevitable

Even the most well-intentioned individuals can make mistakes. It only takes one click on a
malicious link or the reuse of a password to compromise an organization’s security.

### 4.3 All Employees & Customers Share Responsibility to Prevent Phishing

The responsibility for cybersecurity extends beyond the security team to all employees and
even customers. Effective security measures should be easy to use, minimizing the effort
required by individuals to follow them. Convenience leads to compliance, which enhances
overall security.

### 4.4 Complexity vs. Convenience (Users Favor Simple Things)

Effective security measures must be both robust and user-friendly. When security protocols
are overly complex, individuals are more likely to circumvent them for convenience.
Studies show that a significant percentage of employees knowingly break security policies
to maintain productivity. This issue isn't new: an RSA survey from 2008 found that while
employees understood security policies, many were willing to break the rules for
convenience. Similarly, a 2022 Harvard Business Review study found that 67% of employees
knowingly violated security policies, with 85% citing productivity reasons. This tendency
underscores the need for security solutions that integrate seamlessly into daily workflows
without adding undue burden.

### 4.5 Psychological Factors Play a Role

Under pressure, employees might view violating security rules as an acceptable risk. In
their personal lives, the perceived lower stakes often lead people to neglect good
security practices, falsely believing they are too insignificant to be targeted. If people
aren't following best practices at work, they are even less likely to do so in their
private lives.

### 4.6 Credential-Based Attacks are on the Rise

Identity-related breaches are a major concern, with a notable rise in credential-related
phishing attacks. In 2022, there was a 61% spike in such attacks, with stolen credentials
responsible for 50% of successful breaches according to the Verizon
[Data Breach](https://www.corbado.com/glossary/data-breach) Investigations Report. Passwords, as a primary line
of defense, are increasingly inadequate in a highly interconnected world.

### 4.7 Rise of Remote Work and Digital Reliance

The shift towards remote and hybrid work models, accelerated by the pandemic, has expanded
the attack surface for cyber threats. The increased reliance on digital technologies in
both professional and personal spheres has made identity protection even more critical.
Phishing attacks [exploit](https://www.corbado.com/glossary/exploit) this expanded digital footprint, targeting
individuals across various platforms and services.

### 4.8 Escalating Cyber Threat

The frequency and sophistication of cyberattacks have surged in recent years, fueled by
the rise of [Phishing-as-a-Service](https://www.corbado.com/blog/phishing-as-a-service) platforms. In 2022 alone,
there were over 500 million phishing attempts reported globally. The FBI's Internet Crime
Complaint Center received nearly 60,000 phishing-related complaints, while the 2023 Thales
Global Data Threat Report indicated that 41% of respondents observed an increase in
phishing attacks. These statistics illustrate the pervasive and growing nature of the
threat.

### 4.9 Reputational Damage and Trust

Beyond the immediate financial and data losses, phishing attacks can cause severe
reputational damage. Compromised sensitive information can erode customer trust, leading
to long-term repercussions for organizations. This aspect of the threat landscape makes it
crucial to adopt comprehensive security measures that safeguard both internal data and
external user information.

### 4.10 Increasing Number of Data Breaches

The number of data breaches has surged, revealing vast amounts of sensitive information
about victims. This exposed data significantly improves cybercriminals' ability to target
individuals and organizations with precision. Personal details obtained from breaches are
often sold on the darknet, allowing attackers to craft highly convincing phishing
attempts. This increased personalization raises the success rate of these attacks.

According to Check Point are these the top phishing brands for Q1 2024. During the first
quarter of 2024, Microsoft remained the most imitated brand in phishing attacks,
representing a significant 38% of all brand phishing attempts. Google moved up to the
second spot, accounting for 11% of these attacks, a slight increase from its previous
third-place position. [LinkedIn](https://www.corbado.com/blog/linkedin-passkeys) also experienced a rise,
reaching the third place with 11% of phishing attempts, marking a notable increase from
the previous quarter.

| **Rank** | **Brand**   | **Frequency** | **Passkey Rollout**        |
| -------- | ----------- | ------------- | -------------------------- |
| 1        | Microsoft   | 38%           | ✅                         |
| 2        | Google      | 11%           | ✅                         |
| 3        | Linkedin    | 11%           | ✅/❌ Partial rollout only |
| 4        | Apple       | 5%            | ✅                         |
| 5        | DHL         | 5%            | ❌                         |
| 6        | Amazon      | 3%            | ✅                         |
| 7        | Facebook    | 2%            | ✅                         |
| 8        | Roblox      | 2%            | ✅                         |
| 9        | Wells Fargo | 2%            | ❌                         |
| 10       | Airbnb      | 1%            | ❌                         |

Many of these companies, who obviously have to deal a lot with the problems associated
with phishing, have already or are planning to roll out passkeys as a counter measure.
From the list of the top ten, 60% have already fully or partially rolled out passkeys.
Moreover, we know from Airbnb that they are actively working on their passkey rollout, and
[Facebook/Meta announced passkey support in June 2025](https://about.fb.com/news/2025/06/introducing-passkeys-facebook-easier-sign-in/).
Only DHL and Wells Fargo have not indicated a direct passkey rollout but sooner or later
they will follow the move of other top-phishing-target brands.

## 5. Why are Passkeys Phishing-Resistant

Passkeys offer a robust solution to the problem of phishing. Here’s why they are
inherently phishing-resistant:

### 5.1 Binding to Origin (Relying Party ID)

Passkeys are **tied to the specific origin** (i.e., the
[Relying Party](https://www.corbado.com/glossary/relying-party) ID) of the service (Relying Party). During the
authentication process, the service provides a challenge that is signed by the user’s
private key. The service then verifies the signature using the corresponding public key,
ensuring that the authentication occurs with the correct origin. A phishing site **cannot
replicate this origin-specific challenge-response process**.

Importantly, users cannot voluntarily give away the passkey to a malicious website.
Sharing passkeys across different [Relying Party](https://www.corbado.com/glossary/relying-party) IDs is not
possible within the WebAuthn protocol. Additionally, exposing the private key is not
feasible as it is stored securely within the [authenticator](https://www.corbado.com/glossary/authenticator)
(such as a
[device's secure enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web),
TPM, or hardware [security key](https://www.corbado.com/glossary/security-key)) and never leaves it. Therefore,
even if a user wanted to use their passkey on an unauthorized site, it would not be
technically possible.

### 5.2 Public Key Cryptography and No Shared Secrets

Passkeys use [public key cryptography](https://www.corbado.com/glossary/public-key-cryptography), which means
that each passkey consists of a public and a private key. The **private key remains
securely stored on your device**, while the public key is shared with the server. When you
attempt to authenticate, your device uses the private key to sign a challenge sent by the
server. This signature is then verified using the public key. Since the **private key
never leaves your device** and cannot be intercepted or phished, this method eliminates
the risk of phishing attacks.

### 5.3 Elimination of Common Phishing Vectors

Unlike passwords, **passkeys cannot be written down or accidentally shared**. They are
**bound to your devices** and **cannot be stolen** through fake websites or phishing
emails. When you use a passkey to sign in, it proves to the service provider that you have
access to your device and can unlock it. This dual proof ensures that passkeys protect you
against phishing and mishandling, such as reusing passwords or exposing them in data
breaches.

### 5.4 Device-Specific Security

Passkeys are created **uniquely for a passkey provider and account**, making them
extremely difficult to phish. For example, when signing in to your Google account with a
passkey, the [authenticator](https://www.corbado.com/glossary/authenticator) ensures the signature is only valid
for Google websites and apps, not for malicious intermediaries. This means you don't need
to be overly cautious about where you use your passkey, unlike with passwords or SMS
verification codes.

### 5.5 Unique Passkeys for Each Account

Each passkey is tied to a single account, **eliminating the risk of reuse across different
services**. This prevents a [data breach](https://www.corbado.com/glossary/data-breach) in one account from
compromising others. Your accounts remain secure, and the risk of credential phishing is
significantly reduced.

### 5.6 Secure Cross-Device Authentication

When signing in on a new device, you might scan a
[QR code](https://www.corbado.com/blog/qr-code-login-authentication) displayed on that device using your phone.
This process **verifies the proximity of your phone** using a Bluetooth message and
establishes an end-to-end encrypted connection. The phone then delivers a one-time passkey
signature, which requires your biometric or screen lock approval. The passkey itself and
screen lock information are never sent to the new device, ensuring secure authentication.

### 5.7 User Interaction is Required

Passkey authentication typically **involves some form of user interaction**, such as
biometric verification (fingerprint, face recognition) or a PIN on the user’s device. This
step **confirms the user’s presence** and further protects against automated phishing
attacks or compromise of the users operating system.

### 5.8 Compliance with NIST Guidelines

[NIST](https://www.corbado.com/blog/nist-passkeys) (National Institute of Standards and Technology) recognizes
synced passkeys as phishing-resistant according to their guidelines. This endorsement
underscores the effectiveness of passkeys in protecting against phishing, especially in an
environment where a significant number of breaches are caused by weak or stolen passwords.

Passkeys offer a compelling combination of security and convenience, making them a
powerful tool against phishing attacks. By eliminating the need for passwords and
leveraging strong cryptographic principles, passkeys provide a phishing-resistant
authentication method that enhances both user experience and security.

## 6. Conclusion: Passkeys & Phishing

Phishing remains one the most dangerous threat to online security, exploiting the weakest
link – human behavior. Traditional authentication methods, such as passwords and SMS-based
[2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security), are increasingly inadequate in protecting against
these sophisticated attacks. Passkeys, with their origin binding, leverage of
[public key cryptography](https://www.corbado.com/glossary/public-key-cryptography) and elimination of shared
secrets, provide a robust defense against phishing.

By understanding the **nature of phishing, the type of phishing methods** that exists and
the **vulnerabilities of traditional methods to phishing**, it becomes clear that passkeys
offer a much-needed solution to prevent phishing. **Passkeys are phishing-resistant** and
as we continue to see a rise in cyberattacks, adopting passkeys is a crucial step toward
enhancing security for both individuals and organizations.

For developers and product managers, implementing passkeys not only boosts security but
also improves user experience bysimplifying the authentication process.