Created: August 20, 2024
Updated: September 10, 2024
Passkeys, by design, are significantly more secure than traditional passwords and are much harder to hack due to their cryptographic nature. However, like any technology, they are not entirely immune to certain vulnerabilities.
Passkeys are built on top of the WebAuthn standard and utilize public-key cryptography to authenticate users without relying on traditional passwords. This makes them inherently more secure against common threats such as phishing, credential stuffing, and brute force attacks. Here’s why passkeys are considered secure:
Public Key Infrastructure: Passkeys use a public-private key pair, where the private key never leaves the user’s device, making it nearly impossible for attackers to intercept.
Elimination of Passwords: Since passkeys don’t rely on shared secrets (like passwords), they eliminate the risk of credential reuse, a common vulnerability in password-based systems.
Discuss passkeys news and questions in r/passkey.
Join SubredditProtection Against Phishing: Phishing attacks are ineffective against passkeys because a passkey is always bound to the origin (relinyg party ID) that it was created for.
No Credential Stuffing: Passkeys are unique for each service and only the public key is stored server-side. That means, in case on relying party is breached it doesn't have any impact on other relying parties.
No Brute-Force Attacks: Passkeys rely on asymmetric cryptography and cannot be guessed making them immune against brute-force attacks.
No Man-in-the-Middle-Attacks: Man-in-the-middle attacks are not feasible with passkeys because the private key used for authentication never leaves the user's device, ensuring that no sensitive information is transmitted that can be intercepted or altered.
NO Replay Attacks: Replay attacks are not possible with passkeys because each authentication session generates a unique, one-time cryptographic challenge that cannot be reused or replicated by an attacker
However, while passkeys offer superior security, they are not entirely immune to hacking:
Supply Chain Attacks: A compromised device at the manufacturer level could potentially be tampered with to leak cryptographic keys.
Social Engineering: While phishing is less effective, attackers might still use social engineering techniques to trick users into creating passkeys for malicious websites
Session Theft: Passkeys make the authentication part secure and simple for the users. However, depending on the implementation of the relying party, the session could still be stolen and used for malicious purposes.
Become part of our Passkeys Community for updates and support.
JoinEnjoyed this read?
Share passkeys implementation tips and get support to free the world from passwords.
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour