We're now live! Signup now

How passkeys prevent Phishing attacks

Passkeys

Passkeys are tied to specific (https) websites. Browsers won't use a private key intended for one website to sign a challenge generated by a different site.

Phishing attacks are one of the easiest, yet most devastating vectors of attack. Even the “green bar” EV SSL concept failed to prevent phishing attacks. The fundamental issue is users themselves.

We all log in to countless websites and apps every day, especially in post covid hybrid working environments where personal and professional is a bit blured. The truth is that we’re all too busy (or disinterested) to check the SSL certificate of every site we visit.

Browser enforcement

Passkeys solve this problem and close the attack vector. Because passkeys are managed by the browser, the browser can check the target website. Each passkey is tied to a specific website, and browsers won’t use a passkey for one site to sign a challenge generated by a different site.

It’s a bit more complex than this, because passkeys use something similar to the cookie domain concept. i.e. a passkey generated for example.com could be used on example.com and login.example.com, but one generated for login.example.com could not be used on app.example.com.

Happy days 😊

Toby Hobson

Toby Hobson

Founder

Passkeys

SvelteKit Passkeys Usability

If you've followed the previous instalments in this series, you'll have built a SvelteKit app with passkey authentication, session management and authorization. It's functional, but it feels a bit clunky. Let's improve things.

Passkeys

SvelteKit + Passkeys + Lucia

In this tutorial you'll build on your previous work to integrate passkeys with Lucia users and sessions. You'll handle session creation, expiry and invalidation, and protect your routes using SvelteKit hooks.

Passkeys

SvelteKit + Passkeys

In this tutorial you'll learn how to add passkey authentication to your SvelteKit apps. You'll register a passkey and use it to login. In subsequent tutorials I'll show you how to add session management, social login and more.

Passkeys

Passkey browser support in 2024

All the major browsers now support passkeys, however biometric support is often limited to those browsers with tight platform integration e.g. Safari on iOS and Chrome on Android.

Passkeys

Two factor authentication using passkeys

Passkeys enable two factor authentication (including biometrics). Users can even use a biometric enabled device e.g. iPhone FaceID to authenticate against a device lacking this capability e.g. a desktop.

Want product news and updates?

Sign up for our newsletter

We care about your data. Read our privacy policy .