Can Passkeys Be Hacked?

Can Passkeys Be Hacked?#

Passkeys, by design, are significantly more secure than traditional passwords and are much harder to hack due to their cryptographic nature. However, like any technology, they are not entirely immune to certain vulnerabilities.

Passkeys are more secure than passwords due to their cryptographic basis.
Passkeys eliminate risks associated with phishing, man-in-the-middle, brute-force, replay, and credential stuffing attacks.

Understanding Passkey Security#

Passkeys are built on top of the WebAuthn standard and utilize public-key cryptography to authenticate users without relying on traditional passwords. This makes them inherently more secure against common threats such as phishing, credential stuffing, and brute force attacks. Here’s why passkeys are considered secure:

Public Key Infrastructure: Passkeys use a public-private key pair, where the private key never leaves the user’s device, making it nearly impossible for attackers to intercept.
Elimination of Passwords: Since passkeys don’t rely on shared secrets (like passwords), they eliminate the risk of credential reuse, a common vulnerability in password-based systems.

Discuss passkeys news and questions in r/passkey.

Join Subreddit

Protection Against Phishing: Phishing attacks are ineffective against passkeys because a passkey is always bound to the origin (relinyg party ID) that it was created for.
No Credential Stuffing: Passkeys are unique for each service and only the public key is stored server-side. That means, in case on relying party is breached it doesn't have any impact on other relying parties.
No Brute-Force Attacks: Passkeys rely on asymmetric cryptography and cannot be guessed making them immune against brute-force attacks.
No Man-in-the-Middle-Attacks: Man-in-the-middle attacks are not feasible with passkeys because the private key used for authentication never leaves the user's device, ensuring that no sensitive information is transmitted that can be intercepted or altered.
NO Replay Attacks: Replay attacks are not possible with passkeys because each authentication session generates a unique, one-time cryptographic challenge that cannot be reused or replicated by an attacker

However, while passkeys offer superior security, they are not entirely immune to hacking:

Supply Chain Attacks: A compromised device at the manufacturer level could potentially be tampered with to leak cryptographic keys.
Social Engineering: While phishing is less effective, attackers might still use social engineering techniques to trick users into creating passkeys for malicious websites
Session Theft: Passkeys make the authentication part secure and simple for the users. However, depending on the implementation of the relying party, the session could still be stolen and used for malicious purposes.