--- url: 'https://www.corbado.com/faq/can-passkeys-created-by-third-party-providers-be-compromised' title: 'Can passkeys created by 3rd-party providers be compromised?' description: 'Explore whether passkeys created by third-party providers can be compromised and what security risks they may face. ' lang: 'en' --- # Can passkeys created by 3rd-party providers be compromised? ## Can Passkeys Created by 3rd-Party Providers Be Compromised? While **passkeys are designed to be highly secure**, those created and stored by **third-party passkey providers** could be **compromised** under certain conditions. The risk level depends on **encryption practices, storage methods, and security implementations**. ### Potential Security Risks for Third-Party Passkey Providers 1. **Cloud Storage Vulnerabilities** - Many third-party providers store passkeys in **cloud-based vaults**, which, if improperly secured, may become targets for **data breaches**. - Strong **end-to-end encryption** minimizes risk, but if the provider suffers a **data leak**, attackers might attempt decryption. 2. **Master Password or Weak Account Security** - Some third-party password managers use a **master password** to encrypt passkeys. - If a user reuses or chooses a weak password, an attacker could compromise the entire vault via **credential stuffing** or **brute-force attacks**. 3. **Phishing and Social Engineering Attacks** - Attackers could trick users into **exposing their vault access credentials** via [phishing](https://www.corbado.com/glossary/phishing) emails or fake login portals. - Unlike **first-party providers** (Apple [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)), third-party providers **may not be tightly integrated into device security**, making them **more susceptible to social engineering attacks**. 4. **Provider Infrastructure Breaches** - If a third-party provider’s **server infrastructure** is hacked, attackers could attempt to decrypt stored passkeys. - Many reputable providers use **zero-knowledge encryption**, meaning even they **cannot access stored passkeys**, but **not all providers follow this standard**. 5. **Malware or Device-Level Attacks** - If a user's **device is compromised** (e.g., keyloggers, [malware](https://www.corbado.com/glossary/malware), or rootkits), stored passkeys may be at risk. - First-party providers often leverage **secure hardware elements (TPMs, Secure Enclaves)** to protect passkeys, while some third-party providers rely on **software-only encryption**. ### How to Mitigate These Risks - **Use Providers with Zero-Knowledge Encryption**: Ensure that even the provider **cannot decrypt stored passkeys**. - **Enable Biometric Authentication**: Choose a provider that **requires biometric authentication** for passkey access. - **Avoid Weak Master Passwords**: If the provider uses a master password, choose a strong, unique one and enable **multi-factor authentication (MFA)**. - **Verify the Provider’s Security Practices**: Check if they comply with **FIDO2, WebAuthn, and industry security standards**. ### Conclusion While **third-party passkey providers** offer **flexibility and cross-platform access**, their **security depends on implementation**. Users should **choose providers carefully, enable additional security layers, and follow best practices** to minimize risks. ## Read the full article