Can Passkeys Be Hacked?

Blog-Post-Author

Vincent

Created: August 20, 2024

Updated: September 10, 2024


can passkeys be hacked

Can Passkeys Be Hacked?#

Passkeys, by design, are significantly more secure than traditional passwords and are much harder to hack due to their cryptographic nature. However, like any technology, they are not entirely immune to certain vulnerabilities.

  • Passkeys are more secure than passwords due to their cryptographic basis.
  • Passkeys eliminate risks associated with phishing, man-in-the-middle, brute-force, replay, and credential stuffing attacks.

Understanding Passkey Security#

Passkeys are built on top of the WebAuthn standard and utilize public-key cryptography to authenticate users without relying on traditional passwords. This makes them inherently more secure against common threats such as phishing, credential stuffing, and brute force attacks. Here’s why passkeys are considered secure:

  • Public Key Infrastructure: Passkeys use a public-private key pair, where the private key never leaves the user’s device, making it nearly impossible for attackers to intercept.

  • Elimination of Passwords: Since passkeys don’t rely on shared secrets (like passwords), they eliminate the risk of credential reuse, a common vulnerability in password-based systems.

Subreddit Icon

Discuss passkeys news and questions in r/passkey.

Join Subreddit
  • Protection Against Phishing: Phishing attacks are ineffective against passkeys because a passkey is always bound to the origin (relinyg party ID) that it was created for.

  • No Credential Stuffing: Passkeys are unique for each service and only the public key is stored server-side. That means, in case on relying party is breached it doesn't have any impact on other relying parties.

  • No Brute-Force Attacks: Passkeys rely on asymmetric cryptography and cannot be guessed making them immune against brute-force attacks.

  • No Man-in-the-Middle-Attacks: Man-in-the-middle attacks are not feasible with passkeys because the private key used for authentication never leaves the user's device, ensuring that no sensitive information is transmitted that can be intercepted or altered.

  • NO Replay Attacks: Replay attacks are not possible with passkeys because each authentication session generates a unique, one-time cryptographic challenge that cannot be reused or replicated by an attacker

However, while passkeys offer superior security, they are not entirely immune to hacking:

  • Supply Chain Attacks: A compromised device at the manufacturer level could potentially be tampered with to leak cryptographic keys.

  • Social Engineering: While phishing is less effective, attackers might still use social engineering techniques to trick users into creating passkeys for malicious websites

  • Session Theft: Passkeys make the authentication part secure and simple for the users. However, depending on the implementation of the relying party, the session could still be stolen and used for malicious purposes.

Slack Icon

Become part of our Passkeys Community for updates and support.

Join

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free