Yes, passkeys are phishing-resistant because they are built on the WebAuthn standard which is an authentication standard that uses public key cryptography to authenticate a user’s identity before they’re able to log in to their account.
Continue reading to learn more about what makes passkeys phishing-resistant, plus the additional benefits of signing in to your accounts with passkeys over passwords.
What Is a Passkey?
A passkey is a cryptographic key that lets you log in to your account without having to enter a password. Passkeys must be supported by the website you have an account with to use them. If passkeys are supported, you can enable them in your account settings and a passkey will be generated and stored locally on your device.
When creating a passkey, you can also use a password manager to store the passkey in a digital vault. When you store and manage your passkeys using a password manager, you’ll be able to access, share and log in with your passkeys from anywhere and on any device.
What Is Phishing?
Phishing is a type of social engineering attack that attempts to persuade victims into disclosing sensitive information. Often, cybercriminals will send links to spoofed websites and urge victims to click on these links. A spoofed website is a site that has been designed to look legitimate but is meant to steal sensitive information.
For example, a spoofed website may prompt a victim to enter their login credentials for the company the website is spoofing, but doing this will mean the victim is essentially handing over their login credentials to the cybercriminal. The cybercriminal can then use those login credentials to sign in to the victim’s actual account.
What Makes Passkeys Phishing-Resistant?
Passkeys are built on the WebAuthn standard which is what makes them resistant to phishing attacks. WebAuthn stands for Web Authentication and is a browser-based API that simplifies user authentication for web applications. WebAuthn allows users to use registered devices such as phones and computers as factors to log in to their accounts using public key cryptography.
When a user generates a passkey for their account, a unique cryptographic key pair is created on their device. This key pair consists of a public key and a private key. The public key is stored with the company the user has the account with and the private key is stored locally on the device that was used to generate the passkey. When the user logs in to their account, the account server sends a “challenge” to the user’s authenticator. The authenticator is the device, browser or password manager used to generate the passkey. The authenticator then uses the private key to solve the challenge and send a response back. This is also known as “signing” the data, which is how the user’s identity is verified. The private key is never revealed in the process.
Unlike passwords, passkeys are phishing-resistant by design because they’re built on the WebAuthn standard. You can’t just give away your passkey to a cybercriminal as you can with a password, making passkeys the most secure way to sign in to your online accounts and applications.
Additional Benefits To Using Passkeys
Apart from being phishing-resistant, passkeys are also convenient, always strong, not susceptible to password-related attacks and easy to use.
Passkeys are easy to use when stored in a password manager
To sign in with a passkey on your device where it was created all you need to do is use biometrics, like FaceID, to confirm your identity. If you store your passkeys in a password manager, all you need to do is click a button to sign in with it and you’ll be able to sign in from any device no matter what Operating System (OS) it uses. With passkeys enabled on your account, there’s no need to manually type in a password, making them extremely convenient and easy to use.
Passkeys are always made strong
Passkeys consist of a public and private key pair that are made uniquely every time they are generated for an account. Unlike passwords, passkeys are never user-generated – they are automatically generated by the device, browser or password manager, securely and uniquely, for every account – meaning they are always made strong by default.
Passkeys are not susceptible to password-related cyber attacks
When it comes to passwords, many users are susceptible to password-related attacks because they reuse the same password across multiple accounts or use weak passwords that can be easily guessed or cracked by a cybercriminal in a few minutes and sometimes even seconds. Passkeys eliminate the need for users to create their own passwords that would otherwise be susceptible to various types of password-based cyber attacks.
Avoid Falling For Phishing Attacks With Passkeys
Phishing continues to be one of the most prevalent cyber attacks against both businesses and individuals. While passkeys are only supported on a few websites and applications at the moment, using passkeys whenever possible keeps your accounts protected from phishing attacks that can lead to account compromise. To see which websites and applications currently support passkeys, check out our passkeys directory.
Since passkeys are only supported on a small number of websites at this time, you’ll still need to secure most of your online accounts and apps with strong, unique passwords. Password managers like Keeper® make it easy for you to generate strong passwords, securely store them, and manage both your passwords and passkeys in your secure digital vault.
Start a free 30-day trial of Keeper Password Manager to make managing your passwords and passkeys a seamless experience.
