What are passkeys?
Passkeys are a passwordless authentication method designed to solve issues with current methods like passwords. A passkey is a digital credential that is uniquely tied to a website or application, enabling authentication without the need for a username, password, or even additional authentication factor. When a user creates a passkey with a particular site or application, a public–private key pair is generated on the user’s device. The site retains a copy of the public key, but the private key that is required to authenticate the user is only on the user’s device.
How do passkeys work?
Users authenticate themselves using a device like a phone, tablet, or PC and biometric data such as face or fingerprint. The core of this technology is public-key cryptography, where a public key is shared with the website or app, and a private key is securely stored on the user’s device. Passwordless authentication is achieved when the public and private keys, which are mathematically linked, are verified to match, ensuring the user is who they claim to be.
What are the pros and cons of passkeys?
Pros:
- Passkey authentication is easy to implement and use. Users don’t need to create, protect, or remember anything about the passkey.
- They are associated exclusively with the website or application for which they were created, safeguarding users from potential phishing attempts.
- Passkeys can be stored in the cloud, making them accessible across multiple devices.
Cons:
- Malware can be used to bypass passkeys
- Lack of passkey adoption and implementation can be costly
- Passkeys are vulnerable to session hijacking attacks aka next-generation account takeover (ATO)
How are passkeys compromised?
Passkeys can be compromised through session hijacking, a method that doesn’t require a credential and sidesteps multi-factor authentication (MFA) and passkeys. In this type of attack, criminals use a cookie associated with an active session, enabling them to gain unauthorized access. Last year alone, SpyCloud recaptured over 20 billion session cookies stolen by infostealers. The longevity of these cookies exacerbates the risk, as many remain valid for months and even longer .
Cybercriminals are innovative and we will undoubtedly see them leverage malware to steal passkeys themselves soon. When that happens, SpyCloud will be here to recapture that data, notify businesses of compromised users, and enable swift action.
