What is a passkey?
A passkey is a public-key cryptographic credential that replaces passwords; the private key stays on the user’s device and there’s no shared secret to phish, steal, or brute-force. Passkeys secure the authentication step – not the session cookies and refresh tokens issued after authentication succeeds, which remain vulnerable to theft.
What passkeys protect - and what they don't
Passkeys are genuinely strong at the front door. The problem is everything that happens after it opens. Once any authentication succeeds – passkey, biometric, or hardware key – the application issues a session cookie and, in OAuth/OIDC environments, a refresh token.
Those artifacts represent the completed login and are issued after the passkey has done its job. An attacker holding a stolen session cookie or refresh token doesn’t need to authenticate at all; the passkey is simply irrelevant to their path in.
Can my organization still be exposed after moving to passkeys?
Run Check Your Exposure to see whether credentials and session cookies tied to your domain remain exposed even as you move toward passkeys. Passkeys reduce password risk, but stolen session cookies and legacy credentials can still be circulating, and SpyCloud surfaces them.
The session-layer gap and how to close it
AitM phishing is purpose-built to steal post-passkey artifacts:
- The proxy waits. It lets the passkey ceremony complete, then captures the resulting session cookie.
- Refresh tokens extend the damage. Valid up to 90 days in enterprises, so a captured one mints fresh sessions for months – surviving a password change or even passkey re-enrollment.
- Add a session-layer control. Detect stolen cookies and refresh tokens in criminal markets and revoke them.
- Automate the remediation. SpyCloud Session Identity Protection handles refresh-token revocation, IdP session termination, and app-level cookie invalidation – what passkeys don’t.
Passkeys vs. passwords vs. hardware keys
A password is a shared secret that can be phished, guessed, reused, or stolen in bulk – the exact attack surface passkeys are designed to remove. A passkey is a device-bound public-key credential with no shared secret to steal, which makes it phishing-resistant and far stronger. A hardware security key offers similar cryptographic strength in a separate physical device, useful where credentials shouldn’t live on the endpoint, at the cost of provisioning and recovery overhead.
All three secure the login. None of them protect the session cookie or refresh token issued once login succeeds – which is where the session-layer risk lives.
Passkeys help, but they do not erase what’s already exposed.
See what tied to your domain still is.
Frequently Asked
They sharply reduce credential-based takeover by removing the password as an attack surface. But they operate only at authentication and don’t protect the session cookies and refresh tokens issued afterward. AitM phishing captures the session cookie after the passkey ceremony, and infostealers pull cookies from infected devices – both bypass passkeys by targeting what comes after login.
A passkey is a cryptographic credential that proves identity at login and never leaves the device. A session cookie is a token the server issues after a successful login, stored in the browser and sent with each request to keep the user logged in. Passkeys secure the login; session cookies represent ongoing access. Steal the cookie and you don’t need to authenticate at all.
Session Identity Protection recaptures stolen session cookies and refresh tokens from criminal sources, often within hours. On a confirmed match to a customer’s domain, it automates three-layer remediation: refresh-token revocation at the IdP, SSO session termination cascading to downstream apps, and app-level cookie invalidation – closing both the immediate exposure and the long refresh-token bypass window.