Are Passkeys Truly Unphishable? The Evidence Behind the Passwordless Transition
As major tech platforms push users toward biometric passkeys, security researchers are evaluating whether the underlying cryptography actually eliminates credential theft. The data shows a massive drop in traditional phishing, but exposes a new frontier of session-token attacks.
By Factlen Editorial Team
- Identity Standards Bodies
- Advocates for the rapid, universal deprecation of passwords in favor of cryptographic, phishing-resistant standards.
- Enterprise Security Teams
- Focuses on the practical implementation of passkeys, balancing the security benefits against the risks of cloud-syncing and account recovery.
- Threat Researchers
- Analyzes how cybercriminal tactics are evolving to bypass passkeys through malware and session token theft.
What's not represented
- · Consumer Privacy Advocates
- · Hardware Security Key Manufacturers
Why this matters
Passwords have been the root cause of over 80% of data breaches for decades, costing consumers and businesses billions. Understanding how passkeys work—and where they still fall short—helps you secure your own accounts and recognize the next generation of cyber threats.
Key points
- Passkeys replace shared secrets (passwords) with public-key cryptography tied to device biometrics.
- The private key never leaves the user's device, making it immune to database breaches and interception.
- Because passkeys are mathematically bound to specific domains, they effectively eradicate traditional phishing attacks.
- To prevent account lockouts, Apple and Google sync passkeys across devices, introducing minor cloud-security risks.
- As passkeys block front-door attacks, hackers are pivoting to stealing session cookies via malware.
The password is dying, and the cybersecurity industry is celebrating. For decades, shared secrets—passwords, PINs, and security questions—have been the Achilles' heel of digital security, vulnerable to interception, reuse, and social engineering. Now, a structural shift is underway.[1][6]
Backed by Apple, Google, and Microsoft, the tech ecosystem is rapidly transitioning to passkeys. These digital credentials replace typed passwords with cryptographic keys tied directly to a user's device and unlocked via biometric sensors like Face ID or fingerprint readers.[2]
The central claim driving this massive infrastructure transition is bold: passkeys are fundamentally "phishing-resistant." In this evidence pack, we evaluate the data behind that claim, examining whether the underlying cryptography truly eliminates credential theft or simply shifts the attack surface.[6]
To understand the evidence, we must first unpack the mechanism. Passkeys rely on the WebAuthn standard, which abandons shared secrets entirely in favor of public-key cryptography. When a user registers a passkey, their device generates a unique mathematical pair.[1]
One half is the public key, which is sent to the website's server. The other half is the private key, which is permanently locked inside the device's secure hardware enclave. The website never sees, stores, or knows the private key.[1][4]
During login, the website sends a cryptographic challenge to the phone or computer. The device uses the private key to solve the challenge—but only after the user authorizes it with a biometric scan. Because the private key is never transmitted across the internet, it cannot be intercepted in transit.[1][4]
The empirical evidence supporting the anti-phishing claim is highly robust. According to recent deployment data from major identity providers, organizations that have fully migrated their workforces to passkeys report a near-total elimination of traditional credential-harvesting attacks.[2]
The empirical evidence supporting the anti-phishing claim is highly robust.
This success stems from domain binding. Even if a user is tricked into visiting a pixel-perfect fake website, the passkey mechanism fails safe. The cryptographic signature is mathematically bound to the specific verified domain, meaning the credential simply will not execute on a phishing site.[1][3]
Beyond security, academic evaluations highlight significant usability gains. Controlled studies show that passkey logins are completed up to four times faster than traditional password-plus-SMS workflows, dramatically reducing user friction and support-desk ticket volume.[3]
However, transparent uncertainty remains regarding cross-device synchronization. To prevent users from permanently losing their accounts when they drop a phone in a lake, Apple and Google sync passkeys across their respective cloud ecosystems.[2][3]
Security researchers note that this syncing introduces a secondary attack surface. If a user's underlying cloud account is compromised through other means, an attacker could potentially access the synced passkeys, bypassing the physical device requirement entirely.[3]
Furthermore, adversarial threat analysts warn that as passkeys close the front door, attackers are simply climbing through the windows. The new frontier of identity theft is post-authentication session hijacking.[5]
Once a user successfully logs in with a passkey, the website issues a "session cookie"—a temporary digital token stored in the browser that keeps them logged in. Malware on the user's computer can steal this cookie, granting the attacker full access without ever needing to interact with the passkey.[5][6]
Federal security agencies are currently drafting updated guidelines to address these post-authentication vulnerabilities. The next phase of identity security will require continuous authentication protocols that verify a user's behavioral patterns throughout a session, rather than just at the front door.[4]
The final verdict on the evidence? Passkeys are not a silver bullet against all cybercrime, but they represent a massive, structural upgrade over passwords. By eradicating the most common, scalable phishing tactics that have plagued the internet for thirty years, they are making the digital world objectively safer.[6]
How we got here
2013
The FIDO Alliance is formed to solve the global password problem.
2019
The WebAuthn standard becomes an official W3C recommendation, laying the groundwork for passkeys.
2022
Apple, Google, and Microsoft announce expanded support for the FIDO standard, coining the consumer-friendly term 'passkeys'.
2023
Major consumer platforms, including Google Accounts and Amazon, begin rolling out passkey support to billions of users.
2026
Enterprise adoption reaches critical mass, prompting threat actors to pivot heavily toward post-authentication session hijacking.
Viewpoints in depth
Identity Standards Bodies
Advocates for the rapid, universal deprecation of passwords in favor of cryptographic, phishing-resistant standards.
Organizations like the FIDO Alliance and major platform providers view passkeys as the ultimate solution to the internet's oldest security flaw. They argue that human behavior cannot be patched; people will always reuse passwords and fall for convincing phishing lures. By removing the shared secret entirely, they believe the industry can structurally eliminate the root cause of over 80% of data breaches, shifting the burden of security from the user's memory to the device's cryptographic hardware.
Enterprise Security Teams
Focuses on the practical implementation of passkeys, balancing the security benefits against the risks of cloud-syncing and account recovery.
While enterprise defenders acknowledge the massive security upgrade passkeys provide, they are cautious about the reality of deployment. Their primary concern is the 'sync fabric'—the mechanism Apple and Google use to back up passkeys to the cloud. Security teams worry that if an employee's personal Apple ID is compromised, the attacker could gain access to their synced corporate passkeys. Consequently, many enterprises prefer hardware-bound keys (like YubiKeys) that cannot be copied or synced to consumer clouds.
Threat Researchers
Analyzes how cybercriminal tactics are evolving to bypass passkeys through malware and session token theft.
Adversarial analysts emphasize that cybercrime is an economy, and attackers will always find the path of least resistance. As passkeys make traditional credential harvesting obsolete, researchers are tracking a massive spike in 'infostealer' malware. Instead of trying to steal the passkey itself, this malware waits for the user to log in legitimately, then quietly extracts the active session cookie from the browser. This allows the attacker to hijack the authenticated session, proving that while passkeys secure the login event, they do not secure the device itself.
What we don't know
- Whether the rise of session hijacking will force a fundamental redesign of how web browsers handle authentication cookies.
- How quickly legacy banking and healthcare institutions will fully deprecate passwords in favor of passkey-only flows.
- The long-term security implications of syncing cryptographic keys across consumer cloud ecosystems.
Key terms
- Passkey
- A digital credential tied to a user's device that replaces a password with a cryptographic key pair.
- WebAuthn
- The underlying web standard that allows browsers and operating systems to use public-key cryptography for logging in.
- Public-Key Cryptography
- A security system using two mathematically linked keys: a public one shared with the website, and a private one kept secret on the device.
- Phishing-resistant
- An authentication method that cannot be compromised even if a user is tricked into interacting with a fake, malicious website.
- Session Cookie
- A temporary digital token stored in your browser after logging in, which proves to the website that you are authenticated.
Frequently asked
Will I lose my accounts if I lose my phone?
Generally, no. Major ecosystems like Apple and Google sync your passkeys to your cloud account, allowing you to recover them on a new device by logging into your Apple ID or Google account.
Can a website steal my fingerprint?
No. Your biometric data (fingerprint or face scan) never leaves your device. It is only used locally to unlock the cryptographic private key.
What happens if a website using passkeys gets hacked?
Because the website only holds your public key, a database breach gives hackers nothing useful. The public key cannot be used to log into your account without the private key stored on your device.
Are passkeys vulnerable to session hijacking?
Yes. If malware infects your computer, it can steal the temporary session cookie generated after you log in, allowing an attacker to access your account without needing the passkey.
Sources
Source coverage
6 outlets
3 viewpoints surfaced
[1]FIDO AllianceIdentity Standards Bodies
The State of Passwordless Security: Global Adoption and Efficacy
Read on FIDO Alliance →[2]Google Security BlogIdentity Standards Bodies
Two Years of Passkeys: Adoption Metrics and Phishing Reduction
Read on Google Security Blog →[3]USENIX Security SymposiumEnterprise Security Teams
An Empirical Evaluation of Passkey Usability and Syncing Risks
Read on USENIX Security Symposium →[4]Cybersecurity and Infrastructure Security AgencyEnterprise Security Teams
Implementing Phishing-Resistant MFA: Guidelines for Critical Infrastructure
Read on Cybersecurity and Infrastructure Security Agency →[5]Okta Threat IntelligenceThreat Researchers
The Rise of Session Hijacking in a Passwordless World
Read on Okta Threat Intelligence →[6]Factlen Editorial Team
Synthesis by Factlen editorial team
Read on Factlen Editorial Team →
Every angle. Every day.
Get technology stories with full source coverage and perspective breakdowns delivered to your inbox.