Can Passkeys Be Stolen?
Vincent
Created: August 21, 2024
Updated: September 10, 2024
Can Passkeys Be Stolen?#
No, passkeys cannot be stolen in a way that would allow unauthorized access because the private key, which is crucial for authentication, is securely stored on the user's device in a protected environment like a TPM, TEE, or secure enclave. Even if someone were to steal the public key, it would be useless without the corresponding private key. Furthermore, access to the private key often requires biometric verification or a PIN, adding an additional layer of security.
- Passkeys cannot be stolen to gain unauthorized access because the private key remains secure on the user's device.
- Public keys could theoretically be intercepted, but they are useless without the private key.
- Even if a device is stolen, biometric verification or a PIN is required to access the private key.
Understanding Passkey Security#
Passkeys are a modern authentication method designed to replace traditional passwords, providing a more secure and user-friendly experience. The security of passkeys lies in the way they handle key pairs and the storage of sensitive data:
-
Public and Private Key Pairs: When a passkey is created, a pair of cryptographic keys is generated - a public key and a private key. The public key is shared with the server and used to verify the user's identity, while the private key remains on the user's device.
-
Secure Storage: The private key is stored in a secure environment on the device, such as a Trusted Platform Module (TPM), Trusted Execution Environment (TEE), or secure enclave. These environments are designed to be tamper-resistant, meaning that even if a hacker gains access to the device, they cannot extract the private key.
-
Biometric and PIN Protection: To use the private key for authentication, users often need to provide a biometric verification (like a fingerprint or facial recognition) or a PIN. This adds an extra layer of security, ensuring that even if the device is stolen, unauthorized access remains difficult.
What If My Device Is Stolen?#
Even in the event of device theft, the security of passkeys remains robust. The private key is not accessible without the correct biometric or PIN verification. This means that, unlike passwords, which can be guessed or cracked, a passkey remains secure because the key itself cannot be accessed without meeting strict authentication requirements.
Theoretical Risks and Mitigations#
While public keys could theoretically be intercepted during transmission, they have no value on their own. The private key is never transmitted and never leaves the secure environment of the device. This architecture makes passkeys far more secure than traditional passwords, which can be easily stolen and reused.
In conclusion, the design of passkeys ensures that they cannot be stolen in a way that compromises user security. The combination of secure key storage, biometric/PIN protection, and the separation of public and private keys provides a robust defense against theft.
Share this article
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
