Why Passkeys Are Phishing-Resistant: The Technical Case for Passwordless Authentication

Phishing is still the number one initial access vector for cyber attacks. Despite billions spent on email security, security awareness training, and multi-factor authentication, users still fall for credential harvesting attacks. Passkeys change this equation fundamentally — not by training users to be better, but by making phishing cryptographically impossible.

The Problem with Passwords (and Most MFA)

Traditional authentication has a fatal flaw: the user shares a secret (password) with the server, and that secret can be intercepted in transit. Even with MFA, most second factors are phishable:

• SMS codes — Can be intercepted via SIM swap attacks or real-time phishing proxies
• TOTP codes — 6-digit codes can be relayed through phishing pages in real-time (tools like Evilginx make this trivial)
• Push notifications — Vulnerable to MFA fatigue attacks (repeatedly sending push requests until the user approves)
• Email OTPs — Same relay vulnerability as TOTP

The core issue: any authentication method where the user manually enters or approves a credential on a page they navigated to can be phished, because the user cannot reliably verify they’re on the legitimate site.

How Passkeys Work

Passkeys are based on the FIDO2/WebAuthn standard. Instead of a shared secret, they use public key cryptography:

1. Registration — When you create a passkey for a site, your device generates a unique key pair. The private key stays on your device (in secure hardware like a TPM or Secure Enclave). The public key is sent to the server.
2. Authentication — When you sign in, the server sends a random challenge. Your device signs the challenge with the private key. The server verifies the signature with the stored public key.

The critical point: the private key never leaves your device. There is no secret to phish, intercept, or steal from the server.

Why Passkeys Are Phishing-Resistant

The phishing resistance isn’t just about key pairs — it’s built into the protocol at multiple levels:

1. Origin Binding

This is the most important anti-phishing mechanism. When a passkey is created for example.com, it is cryptographically bound to that exact origin. The browser enforces this — it will only allow the passkey to be used on example.com, never on examp1e.com or example-login.com.

Unlike a user who might not notice a misspelled domain, the browser’s origin check is absolute. A phishing page on a lookalike domain simply cannot trigger the passkey — the browser won’t present it as an option.

2. No Shared Secrets

With passwords, both the user and the server know the secret. With passkeys, only the device holds the private key. Even if an attacker compromises the server’s database, they get public keys — which are useless for authentication. There is nothing to steal.

3. Challenge-Response Protocol

Each authentication is a unique challenge-response. The server sends a random nonce, the device signs it, and the server verifies. Replaying a previous authentication response doesn’t work because each challenge is unique and time-bound.

4. No User Judgement Required

This is perhaps the most underappreciated advantage. Password-based phishing works because it exploits human judgement — users must evaluate whether a site is legitimate before entering credentials. Passkeys remove this burden entirely. The cryptographic protocol handles verification automatically. Users don’t need to check URLs, inspect certificates, or make security decisions.

Real-World Attack Scenarios

Let’s walk through common phishing attacks and how passkeys defeat them:

Credential Harvesting Page

Attack: Attacker creates a perfect clone of your bank’s login page at bank-secure-login.com.

With passwords: User enters credentials on the fake page. Attacker captures them and logs into the real site.

With passkeys: User visits the fake page. The browser checks for passkeys registered to bank-secure-login.com — finds none (the passkey is bound to bank.com). No passkey is offered. Authentication cannot proceed on the phishing site.

Real-Time Proxy (Evilginx-style)

Attack: Attacker proxies the real site through their server, intercepting credentials and session tokens in real-time.

With passwords + TOTP: The proxy relays the password and TOTP code to the real site, captures the session cookie, and hijacks the session. This works against most MFA methods.

With passkeys: The proxy serves the phishing domain. The WebAuthn assertion includes the origin (phishing-domain.com), which doesn’t match the relying party ID (real-site.com). The server rejects the authentication. Even a perfect proxy cannot change the origin bound into the cryptographic assertion.

Passkey Adoption in 2026

Passkey support has reached critical mass:

• Apple — iCloud Keychain syncs passkeys across all Apple devices. Safari fully supports WebAuthn.
• Google — Chrome and Android support passkeys natively. Google accounts accept passkeys as primary authentication.
• Microsoft — Windows Hello integrates with WebAuthn. Microsoft accounts support passkeys.
• Enterprise — Okta, Azure AD, Duo, and major identity providers now support passkeys for workforce authentication.

Limitations and Considerations

Passkeys aren’t perfect for every scenario:

• Account recovery — If a user loses all their devices, recovery becomes complex. Most implementations fall back to email or SMS recovery, which reintroduces phishing risk at the recovery step.
• Shared devices — Passkeys tied to a device’s biometric don’t work well on shared workstations. Hardware security keys (YubiKey, etc.) are the answer here.
• Legacy systems — Not all applications support WebAuthn yet. Transition periods where passwords and passkeys coexist still leave the password-based attack surface open.

The Bottom Line

Passkeys represent the first authentication technology that eliminates phishing at the protocol level rather than relying on user vigilance. The origin binding mechanism means that no amount of social engineering can make a passkey work on the wrong domain.

For security teams evaluating authentication strategies, passkeys should be the target state. The technology is mature, the ecosystem supports it, and the phishing resistance is not theoretical — it’s cryptographic.