| Attack vector | What phishers try | How passkeys stop them | Technical reason |
|---|---|---|---|
| Fake domain / look-alike site | Lure user to compannyy.com and steal typed credentials |
No credentials to steal – the browser/OS will not present the passkey unless the domain exactly matches the one registered (company.com) . |
|
| Man-in-the-middle / proxy phishing | Intercept login traffic between user and real site | Verifier-name binding – the cryptographic assertion contains the site’s hostname & origin; if they don’t match, the signature is rejected . | |
| Credential replay | Capture and reuse a one-time code or cookie | Asymmetric challenge-response – each login uses a fresh signature that is useless to replay; there is no static secret on the server . | |
| Cross-device phishing | Trick user into approving a login on a remote machine | Proximity check – cross-device authentication uses Bluetooth Low Energy (or USB/NFC) to ensure the authenticating phone/key is physically nearby the requesting device . | |
| Server breach | Steal stored authentication secrets | No shared secrets – only the public key is stored server-side; the private key never leaves the user’s secure enclave . |
Last active
July 16, 2025 16:10
-
-
Save msenturk/5fcc7c11fc904f584e0645a337b403bc to your computer and use it in GitHub Desktop.
How passkeys block phishing attacks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment