Imagine a soccer match where one team is playing blindfolded. That's exactly what password protection looks like in a world where phishing attacks aren't just common – they're an industrial-scale operation. According to the Anti-Phishing Working Group, over 890,000 such attacks were recorded in the third quarter of 2025 alone. Eight hundred and ninety thousand! These aren't lone-wolf cybercriminals in dark basements; this is an entire industry hunting for your logins and passwords every single day.
A password is like a paper key to a steel door. It seems to lock something, but the first rain will destroy it. You enter your password on a phishing site that looks just like your bank – and that's it, game over. That's why the cybersecurity industry has been actively pushing an alternative for several years: a technology called FIDO2, or more specifically, its user-facing implementation, passkeys.
So, what is it, how does it work, are passkeys truly invulnerable – and where are the chinks in this armor? Let's dive in and find out.
What is FIDO2 and Why Do We Need It
FIDO2 is an open standard developed by the FIDO (Fast IDentity Online) Alliance in partnership with the W3C. Its goal is to make logging into online services both secure and convenient without using passwords. The standard consists of two key components:
- WebAuthn – an API for browsers that allows websites to communicate with a user's device to confirm their identity.
- CTAP (Client to Authenticator Protocol) – a protocol that enables external devices, like USB tokens or smartphones, to participate in the authentication process.
Passkeys are the specific implementation of FIDO2 already supported by Apple, Google, Microsoft, and most major browsers. When you see a “Sign in with a passkey” button on a website and confirm with your fingerprint or a PIN, that's FIDO2 in action.
How It Works: Cryptography Without the Snooze Fest
Let me try to explain with an analogy. Imagine you have a special lock and key set. You can give copies of the open lock to everyone – that's the public key. But you keep the only key that can open it – that's the private key. Anyone can snap your lock shut on a message for you, but only you can open it.
In the world of FIDO2, it works like this. When you register on a site using a passkey:
- The site generates a random code – a so-called challenge.
- Your device (smartphone, laptop, USB token – this is called an authenticator) creates a unique pair of cryptographic keys: a public key and a private key.
- The private key stays on your device and never leaves it. Ever. This is fundamentally important.
- The public key is sent to the site's server and stored there.
- The authenticator signs the challenge with the private key and sends this signature back. The server verifies the signature using the public key and confirms: yes, this is indeed that user.
When you sign in next time:
- The server again generates a random challenge.
- Your browser asks the authenticator to sign it with the private key that is bound specifically to that domain.
- You approve the operation – with your fingerprint, face, or a PIN.
- The signed challenge is sent to the server, the server verifies the signature – and you're in.
The beauty of this system is that there's nothing for an attacker to intercept. The password doesn't exist. The secret is stored on your device and is never transmitted. Even if someone were to eavesdrop and see the signed challenge, they couldn't reuse it – a new one is generated every time.
Why Passkeys Are So Strong Against Phishing
Phishing operates on a simple principle: a counterfeit site is created, the victim enters their credentials, and the attacker gets them. With passwords, this is elementary. But with passkeys, this scheme falls apart in several places.
First, domain binding. When you create a passkey for bank.com, it is tied to that specific address at the protocol level. If an attacker creates a phishing site at b4nk.com or bank-login.com, your browser simply won't offer to use the passkey – because the domain is different. This isn't a warning you can ignore; it's a hard technical limitation.
Second, the private key is never transmitted. Even if an attacker somehow intercepts all the traffic between you and the server, they won't get anything they can use to log in later. Each signature is for one-time use.
Third, no password, no password leak. Password databases leak regularly. With passkeys, only the public key is stored on the server – useless without its private half, which the attacker doesn't have.
It's like instead of telling a guard a password (which can be overheard), you present a unique biometric pattern that can't be copied and only works on that specific door.
But It's Not All Rosy: Vulnerabilities Exist
I wouldn't be honest if I said FIDO2 is an absolute suit of armor. Any technological system exists in the real world, and the real world is full of people, devices, and mistakes. Researchers have identified several serious attack vectors – and two of them have been implemented in practice as part of a security analysis of this technology.
🔬 Attack #1: The “Infected Authenticator”
The entire magic of passkeys is built on one assumption: the authenticator is honest. That is, the device storing your private key and creating signatures works exactly as advertised. But what if it's infected with malicious software?
Imagine you bought a lock from a counterfeit manufacturer who secretly made a duplicate key for themselves. The lock looks normal and opens your door – but the scammer has an exact copy.
This is exactly how the “Infected Authenticator” attack works. The scheme looks like this:
- A malicious software authenticator gets onto the user's device – for example, by installing a questionable app or using a compromised USB token with modified firmware.
- When the user registers on a legitimate site, say, bank.com, this fake authenticator generates a key pair – but a special one: the private key from this pair is already known to the attacker.
- The bank.com server accepts the public key and saves it – it knows nothing of the trickery.
- Now the attacker, who has the private key, can independently sign any challenges from bank.com and log in as the victim – without physical access to the user's device and without any additional manipulation.
This attack effectively destroys the entire FIDO2 security model – but only under one condition: the attacker must compromise the authenticator in advance. This requires either physical access to the device or the installation of malicious software. That in itself is a significant barrier.
How can you protect yourself? Use only certified hardware authenticators with protection against firmware tampering. Such devices are verified through the FIDO certification program and contain special secure elements – hardware modules from which it is physically impossible to extract the key. Never install authenticator apps from unverified sources.
🎭 Attack #2: The “Masquerade” Attack
This attack is more cunning and technically sophisticated. It's like a carnival masquerade, where the attacker puts on the mask of a real website – and the mask is so convincing that even the browser doesn't notice the impersonation.
Let's break down the mechanics step by step.
Browsers trust websites via digital certificates – electronic documents that confirm, “yes, this site is really who it says it is.” These certificates are issued by special organizations called Certificate Authorities (CAs). A list of trusted CAs is stored in the browser and operating system.
If an attacker can add their own Certificate Authority to this list, they gain the ability to issue certificates for any site – including bank.com. The victim's browser will consider them genuine because they are signed by a “trusted” (from the perspective of the compromised system) source.
The attack then unfolds like this:
- The attacker installs their root certificate on the victim's computer – either through malicious software or social engineering.
- They set up their own server that impersonates bank.com and issue a certificate for it using their CA.
- The victim's traffic is redirected to this fake server – for example, by tampering with DNS records on the client side or using a proxy.
- When the victim opens bank.com, they see the familiar site with a green padlock in the address bar and suspect nothing.
- The attacker's server secretly connects to the real bank.com and gets a real cryptographic challenge from it.
- This challenge is passed on to the victim. The victim confirms the sign-in with their real private key, stored on their authenticator.
- The signed response is returned to the attacker, who immediately forwards it to the real bank.com.
- The bank's server receives a valid signature, verifies it – and lets the attacker into the victim's account.
This is a so-called relay attack. The victim genuinely signed a real challenge from the real server. The attacker simply sat in the middle and used the signature at the right moment. There's no cryptographic break – only a deception of context.
An important nuance: this attack requires prior compromise of the victim's device. The attacker must install a root certificate, which cannot be done remotely without a system vulnerability or the user's consent (even if obtained deceptively). This is a very high barrier to entry compared to traditional phishing, where just buying a similar-looking domain name is enough.
The defense here is multi-layered. Operating systems should strictly control the installation of root certificates and warn the user about such actions. HSTS (HTTP Strict Transport Security) adds another barrier. The Certificate Pinning mechanism allows an application to “memorize” in advance which specific certificate a site should have and reject any others – but it is technically more complex to implement.
Other Points of Vulnerability in the FIDO2 Ecosystem
Besides the two attacks described above, researchers highlight a whole range of theoretically possible compromise vectors.
Server Compromise
If an attacker hacks a server database and steals users' public keys, it gives them almost nothing. A public key is, by definition, public and is useless on its own for logging into a system. Compare this to a password database leak, after which millions of users are instantly at risk. The difference is colossal.
Nevertheless, a compromised server can be used for denial-of-service attacks or to substitute challenges – but this does not allow for the theft of credentials.
Malicious Browser Extensions
Browser extensions operate in a privileged context and could theoretically intercept or alter WebAuthn requests. If an extension can show the user a fake pop-up window requesting confirmation, the user might accidentally authorize an unwanted operation. This requires an installed malicious extension – again, a high barrier to entry.
Social Engineering
The oldest weapon in the fraudster's arsenal. No amount of cryptography can protect a user who is convinced to click “Confirm” on the right prompt at the right time. For example, an attacker calls a victim, pretends to be a bank employee, and asks them to “verify their identity” – at that moment, the attacker is trying to log into the victim's account and is trying to get the victim to approve the prompt on their device.
The Big Picture: How Much Safer Is FIDO2 Than Passwords?
To be honest, FIDO2 really does what it promises: it significantly raises the bar for attackers.
Classic phishing works because it's easy to scale. Sending out a million emails with a link to a fake site costs pennies. Someone is bound to enter their password – and the attacker gets it instantly, without any extra steps.
With passkeys, this scenario doesn't work. To compromise an account protected by FIDO2, an attacker needs to:
- Gain physical or software access to the victim's device, or
- Convince the victim to install a malicious certificate or authenticator, and at the same time
- Carry out a complex technical operation to redirect traffic and relay challenges.
This is not at all the same as sending a phishing email. It's a targeted, costly operation against a specific victim. For mass fraud, it's not profitable. That's why the claim that passkeys are resistant to phishing is generally true – with the caveat that absolute protection does not exist.
What's Needed for Protection to Work Reliably
Technology is only part of the equation. For FIDO2 to work as intended, several conditions must be met.
Use certified authenticators. Hardware security keys (like YubiKey or similar) with FIDO certification contain secure elements from which it is physically impossible to extract the private key. Built-in authenticators in modern smartphones and laptops (Face ID, Touch ID, Windows Hello) also use hardware-protected key storage.
Keep your operating system healthy. Both of the attacks described begin with device compromise. Update your OS, don't install software from unverified sources, and keep an eye on what extensions are installed in your browser.
Be wary of unexpected confirmation requests. If you're asked to “confirm sign-in” when you haven't initiated anything yourself, that's a red flag. A real bank or service won't call you and ask you to push a button.
Organizations should pay attention to the attestation mechanism. FIDO2 includes the ability to verify an authenticator's authenticity on the server side – this is called attestation. It allows a server to ensure that the user is using a certified device, not a home-brewed or infected authenticator. The development and implementation of this mechanism is one of the key areas for improving FIDO2's reliability.
Conclusion: A Step Forward, But Not the Finish Line
FIDO2 and passkeys are not just another update to passwords. They represent a fundamentally different approach to authentication that eliminates an entire class of threats that passwords simply can't handle. Domain binding, keeping the secret only on the user's device, and the absence of a transmitted secret – all this makes classic phishing practically useless against this technology.
At the same time, the 2025 research confirms: vulnerabilities exist. They require significantly more resources and prior access to the victim's system than a typical phishing campaign – but they are real. The “Infected Authenticator” and the “Masquerade” attack are not theoretical horror stories but implemented and tested scenarios.
Algorithms aren't better than us – they're just different. And in this sense, FIDO2 is honest: it doesn't promise to defeat all attackers forever. It promises to make an attack on your account so costly and complex that for most fraudsters, it's simply not profitable. And in digital security, that's already a huge achievement.