Passkeys for Normal People
Troy Hunt explains how passkeys solve the fundamental problem with traditional passwords and two-factor authentication - they can still be phished, as he learned firsthand when he fell victim to a Mailchimp phishing attack despite having 2FA enabled.
The Problem with Current Security:
Traditional authentication has a critical flaw: even with two-factor authentication using one-time passwords (OTPs), hackers can trick you into entering your credentials and OTP code into a fake website that immediately relays them to the real site. Hunt demonstrates this by describing how he was socially engineered into visiting a fake Mailchimp site (mailchimp-sso.com), entered his credentials and OTP code, which the attackers then used to access his real account in real-time.
How Passkeys Work:
Passkeys are digital files stored on your device that use cryptographic protections to authenticate you. Unlike passwords and OTPs, they're "phishing-resistant" because they can't be tricked into working on fake websites - they're technically tied to the legitimate domain. Hunt walks through setting up passkeys on WhatsApp (mobile), LinkedIn (PC), and Ubiquiti (as true 2FA), showing how the experience varies between services.
Key Benefits and Limitations:
Passkeys make security easier rather than harder - often providing one-click sign-in that's faster than traditional methods. However, implementation varies wildly between services. LinkedIn treats passkeys as just another login method alongside your still-vulnerable password, while Ubiquiti allows you to use passkeys as genuine second factor authentication and remove phishable OTP codes entirely.
Physical Security Keys:
For maximum security, Hunt demonstrates storing passkeys on physical YubiKeys (U2F keys) that cost around $60. These eliminate the risk of your digital passkey storage (like iCloud or 1Password) being compromised, though they introduce the risk of losing physical access to your accounts if you lose the key.
Current State and Adoption:
While not yet at the tipping point, passkey adoption is accelerating. Microsoft recently announced new accounts will be passwordless by default, and many major brands now support them. Hunt recommends checking 1Password's passkeys.directory to find supported services and vote for others to add support.
TL;DR:
- Problem solved: Traditional 2FA can be phished in real-time by sophisticated attackers
- How passkeys help: Cryptographically tied to legitimate domains, can't be used on fake sites
- User experience: Often faster and easier than passwords + 2FA codes
- Implementation varies: Some sites use as alternative login, others as true 2FA replacement
- Storage options: Device keychain, password managers, or physical security keys
- Current status: Growing adoption, Microsoft going passwordless by default
- Bottom line: Start using them now on your most important accounts