Passkeys Phishing: Why Passkeys Are Phishing-Resistant

Almost no week passes without news of a major data breach. What most of these data breaches have in common is that they are often caused by a rather simple cyber-attack: phishing, where attackers trick individuals into revealing sensitive information.

That's why secure user authentication is more critical than ever. Traditional methods, such as passwords and SMS-based two-factor authentication (2FA), are increasingly vulnerable to sophisticated cyberattacks. Moreover, leaked credentials from data breaches are massive, with over 13 billion of leaked passwords available on the darknet. Passkeys, based on the WebAuthn standard, offer a robust defense against phishing and credential stuffing. This blog posts focuses on the relationship between passkeys and phishing, and answers the following questions:

• What’s phishing and what types of phishing do exist?
• How vulnerable are different authentication methods to phishing?
• Are passkeys phishing-resistant?

Phishing is a type of social engineering attack designed to trick victims into disclosing confidential information. Cybercriminals often send links to fake websites that appear legitimate, urging victims to click on them. These counterfeit websites are crafted to steal sensitive data. For example, a fake website might prompt a victim to enter their login credentials for what looks like a legitimate company site. However, by doing so, the victim inadvertently gives their login information to the cybercriminal. The attacker can then use these credentials to access the victim’s actual accounts. Often the attacker knows that the victim is a user of service. Either because it’s very likely as it’s a service that many people use (e.g. Amazon, DHL) or the account information has been disclosed in a different way (e.g. you can conclude from an IBAN at which bank a user has an account).

There are various types of phishing attacks, each targeting different channels and employing unique tactics:

Email phishing is when fraudulent emails that appear to come from legitimate sources are designed to trick recipients into revealing personal information or clicking on malicious links.

Taken from https://www.phishing.org/phishing-examples

Spear phishing is a more targeted form of phishing where attackers personalize emails to a specific individual or organization, making the scam more convincing.

Taken from https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing

Whaling is a type of spear phishing aimed at high-profile targets such as executives or senior managers. It often involves fake emails from trusted sources within the organization.

Taken from https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing

Smishing (SMS phishing) is a phishing attack conducted through SMS text messages, which may contain malicious links or requests for personal information.

Taken from https://www.devfuzion.com/smishing-what-you-need-to-know-about-text-scams

Vishing (voice phishing) is a phishing attack conducted over the phone, where attackers impersonate legitimate entities to extract personal information or financial details.

Clone phishing involves duplicating a legitimate email that the victim has received in the past, then resending it with malicious links or attachments.

Taken from https://uk.norton.com/blog/online-scams/clone-phishing

Pharming redirects users from legitimate websites to fraudulent ones without their knowledge, often by exploiting vulnerabilities in DNS (Domain Name System) settings.

Taken from https://www.valimail.com/guide-to-phishing/phishing-vs-pharming

Man-in-the-middle phishing is when attackers intercept and modify communications between two parties without their knowledge, often to steal sensitive information or credentials.

Social media phishing involves phishing attacks that occur on social media platforms, where attackers create fake profiles or send direct messages to trick users into revealing personal information.

Taken from https://www.proofpoint.com/us/threat-insight/post/fraudulent-social-media-accounts-continue-phish-banking-credentials

Malvertising uses malicious online advertisements to direct users to phishing sites or deliver malware.

Taken from https://www.geeksforgeeks.org/what-is-malvertising

Search engine phishing is when attackers create fake websites that appear in search engine results, luring users to visit and enter sensitive information.

Taken from https://www.keepersecurity.com/blog/2023/04/12/what-is-search-engine-phishing

Pop-up phishing uses pop-up windows on legitimate websites to trick users into entering personal information or downloading malware.

Traditional authentication methods, such as passwords and SMS-based two-factor authentication (2FA) are widely used nowadays. However, these methods (and more – see below) are increasingly vulnerable to various phishing attacks. Cybercriminals exploit weaknesses in these systems, often with alarming success.

Here’s an overview of authentication methods and their phishing-resistance.

Phishing remains a significant threat. According to the Zscaler ThreatLabzs 2024 Phishing Report:

• Phishing attacks surged by 58.2% in 2023, compared to 2022, reflecting the growing sophistication and persistence of threat actors.
• Vishing (voice phishing) and deepfake phishing attacks are on the rise as attackers leverage generative AI to amplify social engineering tactics.
• The US, UK, India, Canada, and Germany were the top five countries targeted by phishing attacks.
• The finance and insurance industry faced 27.8% of overall phishing attacks, the highest concentration among industries and a staggering 393% year-over-year increase. Manufacturing followed closely behind at 21%.

In 2024, phishing is still such a big problem because it targets the most vulnerable link in the security chain: humans. Despite advancements in cybersecurity technology, the human element remains susceptible to manipulation and error. Here’s why phishing is such a pervasive issue:

Despite advancements in cybersecurity tools, humans are often the weakest link. Cybercriminals exploit this by using social engineering techniques to trick individuals into revealing sensitive information. This is not just a technical challenge but a human one, requiring effective communication, advice, and mentoring within organizations.

Even the most well-intentioned individuals can make mistakes. It only takes one click on a malicious link or the reuse of a password to compromise an organization’s security.

The responsibility for cybersecurity extends beyond the security team to all employees and even customers. Effective security measures should be easy to use, minimizing the effort required by individuals to follow them. Convenience leads to compliance, which enhances overall security.

Effective security measures must be both robust and user-friendly. When security protocols are overly complex, individuals are more likely to circumvent them for convenience. Studies show that a significant percentage of employees knowingly break security policies to maintain productivity. This issue isn't new: an RSA survey from 2008 found that while employees understood security policies, many were willing to break the rules for convenience. Similarly, a 2022 Harvard Business Review study found that 67% of employees knowingly violated security policies, with 85% citing productivity reasons. This tendency underscores the need for security solutions that integrate seamlessly into daily workflows without adding undue burden.

Under pressure, employees might view violating security rules as an acceptable risk. In their personal lives, the perceived lower stakes often lead people to neglect good security practices, falsely believing they are too insignificant to be targeted. If people aren't following best practices at work, they are even less likely to do so in their private lives.

Identity-related breaches are a major concern, with a notable rise in credential-related phishing attacks. In 2022, there was a 61% spike in such attacks, with stolen credentials responsible for 50% of successful breaches according to the Verizon Data Breach Investigations Report. Passwords, as a primary line of defense, are increasingly inadequate in a highly interconnected world.

The shift towards remote and hybrid work models, accelerated by the pandemic, has expanded the attack surface for cyber threats. The increased reliance on digital technologies in both professional and personal spheres has made identity protection even more critical. Phishing attacks exploit this expanded digital footprint, targeting individuals across various platforms and services.

The frequency and sophistication of cyberattacks have surged in recent years. In 2022 alone, there were over 500 million phishing attempts reported globally. The FBI's Internet Crime Complaint Center received nearly 60,000 phishing-related complaints, while the 2023 Thales Global Data Threat Report indicated that 41% of respondents observed an increase in phishing attacks. These statistics illustrate the pervasive and growing nature of the threat.

Beyond the immediate financial and data losses, phishing attacks can cause severe reputational damage. Compromised sensitive information can erode customer trust, leading to long-term repercussions for organizations. This aspect of the threat landscape makes it crucial to adopt comprehensive security measures that safeguard both internal data and external user information.

The number of data breaches has surged, revealing vast amounts of sensitive information about victims. This exposed data significantly improves cybercriminals' ability to target individuals and organizations with precision. Personal details obtained from breaches are often sold on the darknet, allowing attackers to craft highly convincing phishing attempts. This increased personalization raises the success rate of these attacks.

According to Check Point are these the top phishing brands for Q1 2024. During the first quarter of 2024, Microsoft remained the most imitated brand in phishing attacks, representing a significant 38% of all brand phishing attempts. Google moved up to the second spot, accounting for 11% of these attacks, a slight increase from its previous third-place position. LinkedIn also experienced a rise, reaching the third place with 11% of phishing attempts, marking a notable increase from the previous quarter.

Many of these companies, who obviously have to deal a lot with the problems associated with phishing, have already or are planning to roll out passkeys as a counter measure. From the list of the top ten, 60% have already fully or partially rolled out passkeys. Moreover, we know from Facebook and Airbnb that they are actively working on their passkey rollout. Only DHL and Wells Fargo have not indicated a direct passkey rollout but sooner or later they will follow the move of other top-phishing-target brands.

Passkeys offer a robust solution to the problem of phishing. Here’s why they are inherently phishing-resistant:

Passkeys are tied to the specific origin (i.e., the Relying Party ID) of the service (Relying Party). During the authentication process, the service provides a challenge that is signed by the user’s private key. The service then verifies the signature using the corresponding public key, ensuring that the authentication occurs with the correct origin. A phishing site cannot replicate this origin-specific challenge-response process.

Importantly, users cannot voluntarily give away the passkey to a malicious website. Sharing passkeys across different Relying Party IDs is not possible within the WebAuthn protocol. Additionally, exposing the private key is not feasible as it is stored inside a hardware security module (HSM). Therefore, even if a user wanted to use their passkey on an unauthorized site, it would not be technically possible.

Passkeys use public key cryptography, which means that each passkey consists of a public and a private key. The private key remains securely stored on your device, while the public key is shared with the server. When you attempt to authenticate, your device uses the private key to sign a challenge sent by the server. This signature is then verified using the public key. Since the private key never leaves your device and cannot be intercepted or phished, this method eliminates the risk of phishing attacks.

Unlike passwords, passkeys cannot be written down or accidentally shared. They are bound to your devices and cannot be stolen through fake websites or phishing emails. When you use a passkey to sign in, it proves to the service provider that you have access to your device and can unlock it. This dual proof ensures that passkeys protect you against phishing and mishandling, such as reusing passwords or exposing them in data breaches.

Passkeys are created uniquely for a passkey provider and account, making them extremely difficult to phish. For example, when signing in to your Google account with a passkey, the authenticator ensures the signature is only valid for Google websites and apps, not for malicious intermediaries. This means you don't need to be overly cautious about where you use your passkey, unlike with passwords or SMS verification codes.

Each passkey is tied to a single account, eliminating the risk of reuse across different services. This prevents a data breach in one account from compromising others. Your accounts remain secure, and the risk of credential phishing is significantly reduced.

When signing in on a new device, you might scan a QR code displayed on that device using your phone. This process verifies the proximity of your phone using a Bluetooth message and establishes an end-to-end encrypted connection. The phone then delivers a one-time passkey signature, which requires your biometric or screen lock approval. The passkey itself and screen lock information are never sent to the new device, ensuring secure authentication.

Passkey authentication typically involves some form of user interaction, such as biometric verification (fingerprint, face recognition) or a PIN on the user’s device. This step confirms the user’s presence and further protects against automated phishing attacks or compromise of the users operating system.

NIST (National Institute of Standards and Technology) recognizes synced passkeys as phishing-resistant according to their guidelines. This endorsement underscores the effectiveness of passkeys in protecting against phishing, especially in an environment where a significant number of breaches are caused by weak or stolen passwords.

Passkeys offer a compelling combination of security and convenience, making them a powerful tool against phishing attacks. By eliminating the need for passwords and leveraging strong cryptographic principles, passkeys provide a phishing-resistant authentication method that enhances both user experience and security.

Phishing remains one the most dangerous threat to online security, exploiting the weakest link – human behavior. Traditional authentication methods, such as passwords and SMS-based 2FA, are increasingly inadequate in protecting against these sophisticated attacks. Passkeys, with their origin binding, leverage of public key cryptography and elimination of shared secrets, provide a robust defense against phishing.

By understanding the nature of phishing, the type of phishing methods that exists and the vulnerabilities of traditional methods to phishing, it becomes clear that passkeys offer a much-needed solution to prevent phishing. Passkeys are phishing-resistant and as we continue to see a rise in cyberattacks, adopting passkeys is a crucial step toward enhancing security for both individuals and organizations.

For developers and product managers, implementing passkeys not only boosts security but also improves user experience bysimplifying the authentication process.