Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.
Overview#
What's Phishing?
2.1 What's Email Phishing?
2.2 What's Spear Phishing?
2.3 What's Whaling?
2.4 What's Smishing (SMS Phishing)?
2.5 What's Vishing (Voice Phishing)?
2.6 What's Clone Phishing?
2.7 What's Pharming?
2.8 What's Man-in-the-Middle Phishing?
2.9 What's Social Media Phishing?
2.10 What's Malvertising?
2.11 What's Search Engine Phishing?
2.12 What's Pop-Up Phishing?
The Vulnerabilities of Traditional Authentication Methods
Why is phishing so a big problem today?
4.1 Humans are a Vulnerability
4.2 Phishing Mistakes are Inevitable
4.3
4.4 Complexity vs. Convenience (Users Favor Simple Things)
4.5 Psychological Factors Play a Role
4.6 Credential-Based Attacks are on the Rise
4.7 Rise of Remote Work and Digital Reliance
4.8 Escalating Cyber Threat
4.9 Reputational Damage and Trust
4.10 Increasing Number of Data Breaches
- Why are Passkeys Phishing-Resistant
5.1 Binding to Origin (Relying Party ID)
5.2 Public Key Cryptography and No Shared Secrets
5.3 Elimination of Common Phishing Vectors
5.4 Device-Specific Security
5.5 Unique Passkeys for Each Account
5.6 Secure Cross-Device Authentication
5.7 User Interaction is Required
5.8 Compliance with NIST Guidelines
1. Introduction: Passkeys & Phishing#
Almost no week passes without news of a major data breach. What most of these data breaches have in common is that theyare often caused by a rather simple cyber-attack: phishing, where attackers trick individuals into revealing sensitiveinformation.
That's why secure user authentication is more critical than ever. Traditional methods, such as passwords and SMS-basedtwo-factor authentication (2FA), are increasingly vulnerable to sophisticated cyberattacks. Moreover, leaked credentialsfrom data breaches are massive, with over 13 billion of leaked passwords available on the darknet.Passkeys, based on the WebAuthn standard, offer a robust defense against phishing and credential stuffing. This blogposts focuses on the relationship between passkeys and phishing, and answers the following questions:
- What’s phishing and what types of phishing do exist?
- How vulnerable are different authentication methods to phishing?
- Are passkeys phishing-resistant?
Recent Articles
♟️
PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA♟️
How Invisible MFA with Passkeys Solves the MFA Problem♟️
Passkeys vs. 2FA: Why Passkeys are More Secure than Regular 2FA♟️
Dynamic Linking with Passkeys: Secure Payment Confirmation (SPC)⚙️
Why Passkey Implementation is 100x Harder Than You Think – Misconceptions, Pitfalls and Unknown Unknowns
2. What’s Phishing?#
Phishing is a type of social engineering attack designed to trick victims into disclosing confidential information.Cybercriminals often send links to fake websites that appear legitimate, urging victims to click on them. Thesecounterfeit websites are crafted to steal sensitive data. For example, a fake website might prompt a victim to entertheir login credentials for what looks like a legitimate company site. However, by doing so, the victim inadvertentlygives their login information to the cybercriminal. The attacker can then use these credentials to access the victim’sactual accounts. Often the attacker knows that the victim is a user of service. Either because it’s very likely asit’s a service that many people use (e.g. Amazon, DHL) or the account information has been disclosed in a differentway (e.g. you can conclude from an IBAN at which bank a user has an account).
There are various types of phishing attacks, each targeting different channels and employing unique tactics:
2.1 What’s Email Phishing?#
Email phishing is when fraudulent emails that appear to come from legitimate sources are designed to trick recipientsinto revealing personal information or clicking on malicious links.
Taken from https://www.phishing.org/phishing-examples
2.2 What’s Spear Phishing?#
Spear phishing is a more targeted form of phishing where attackers personalize emails to a specific individual ororganization, making the scam more convincing.
Taken from https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing
2.3 What’s Whaling?#
Whaling is a type of spear phishing aimed at high-profile targets such as executives or senior managers. It ofteninvolves fake emails from trusted sources within the organization.
Taken from https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing
2.4 What’s Smishing (SMS Phishing)?#
Smishing (SMS phishing) is a phishing attack conducted through SMS text messages, which may contain malicious links orrequests for personal information.
Taken from https://www.devfuzion.com/smishing-what-you-need-to-know-about-text-scams
2.5 What’s Vishing (Voice Phishing)?#
Vishing (voice phishing) is a phishing attack conducted over the phone, where attackers impersonate legitimate entitiesto extract personal information or financial details.
2.6 What’s Clone Phishing?#
Clone phishing involves duplicating a legitimate email that the victim has received in the past, then resending it withmalicious links or attachments.
Taken from https://uk.norton.com/blog/online-scams/clone-phishing
2.7 What’s Pharming?#
Pharming redirects users from legitimate websites to fraudulent ones without their knowledge, often by exploitingvulnerabilities in DNS (Domain Name System) settings.
Taken from https://www.valimail.com/guide-to-phishing/phishing-vs-pharming
2.8 What’s Man-in-the-Middle Phishing?#
Man-in-the-middle phishing is when attackers intercept and modify communications between two parties without theirknowledge, often to steal sensitive information or credentials.
2.9 What’s Social Media Phishing?#
Social media phishing involves phishing attacks that occur on social media platforms, where attackers create fakeprofiles or send direct messages to trick users into revealing personal information.
Taken from 2.10 What’s Malvertising?#
Malvertising uses malicious online advertisem*nts to direct users to phishing sites or deliver malware.
Taken from https://www.geeksforgeeks.org/what-is-malvertising
2.11 What’s Search Engine Phishing?#
Search engine phishing is when attackers create fake websites that appear in search engine results, luring users tovisit and enter sensitive information.
Taken from https://www.keepersecurity.com/blog/2023/04/12/what-is-search-engine-phishing
2.12 What’s Pop-Up Phishing?#
Pop-up phishing uses pop-up windows on legitimate websites to trick users into entering personal information ordownloading malware.
3. The Vulnerabilities of Traditional Authentication Methods#
Traditional authentication methods, such as passwords and SMS-based two-factor authentication (2FA) are widely usednowadays. However, these methods (and more – see below) are increasingly vulnerable to various phishing attacks.Cybercriminals exploit weaknesses in these systems, often with alarming success.
Here’s an overview of authentication methods and their phishing-resistance.
| Authentication method | Phishing-Resistant | Explanation |
|---|---|---|
| Password | ❌ | Passwords can be easily phished through fake websites and social engineering. |
| SMS OTP | ❌ | SMS OTPs can be intercepted or phished through fake websites and SIM swapping. |
| Email OTP | ❌ | Email OTPs can be phished by tricking users into entering codes on malicious sites. |
| Email magic link | ❌ | Email magic links can be phished by intercepting the link through email compromise. |
| Social logins (e.g. Google, Facebook) | ❌ | Social logins can be phished by tricking users to log in via fake OAuth prompts. |
| SSO | ✅/❌ | SSO can be phishing-resistant if implemented with strong authentication methods like FIDO2 or smart cards. |
| TOTP (e.g. Google Authenticator) | ❌ | TOTPs can be phished if the attacker tricks the user into providing the code. |
| Push Notification (e.g. Authy, Duo) | ❌ | Push notifications can be phished through fake prompts or social engineering. |
| Passkey | ✅ | Passkeys use public-key cryptography and are bound to the origin, preventing phishing. |
| FIDO2 Security Key | ✅ | FIDO2 security keys use origin-bound keys and challenge-response, making them phishing-resistant. |
| Smart Card | ✅ | Smart cards use secure elements and are resistant to phishing. |
Phishing remains a significant threat. According tothe Zscaler ThreatLabzs 2024 Phishing Report:
- Phishing attacks surged by 58.2% in 2023, compared to 2022, reflecting the growing sophistication and persistence ofthreat actors.
- Vishing (voice phishing) and deepfake phishing attacks are on the rise as attackers leverage generative AI to amplifysocial engineering tactics.
- The US, UK, India, Canada, and Germany were the top five countries targeted by phishing attacks.
- The finance and insurance industry faced 27.8% of overall phishing attacks, the highest concentration among industriesand a staggering 393% year-over-year increase. Manufacturing followed closely behind at 21%.
4. Why is phishing so a big problem today?#
In 2024, phishing is still such a big problem because it targets the most vulnerable link in the security chain: humans.Despite advancements in cybersecurity technology, the human element remains susceptible to manipulation and error.Here’s why phishing is such a pervasive issue:
4.1 Humans are a Vulnerability#
Despite advancements in cybersecurity tools, humans are often the weakest link. Cybercriminals exploit this by usingsocial engineering techniques to trick individuals into revealing sensitive information. This is not just a technicalchallenge but a human one, requiring effective communication, advice, and mentoring within organizations.
4.2 Phishing Mistakes are Inevitable#
Even the most well-intentioned individuals can make mistakes. It only takes one click on a malicious link or the reuseof a password to compromise an organization’s security.
The responsibility for cybersecurity extends beyond the security team to all employees and even customers. Effectivesecurity measures should be easy to use, minimizing the effort required by individuals to follow them. Convenience leadsto compliance, which enhances overall security.
4.4 Complexity vs. Convenience (Users Favor Simple Things)#
Effective security measures must be both robust and user-friendly. When security protocols are overly complex,individuals are more likely to circumvent them for convenience. Studies show that a significant percentage of employeesknowingly break security policies to maintain productivity. This issue isn't new: an RSA survey from 2008 found thatwhile employees understood security policies, many were willing to break the rules for convenience. Similarly, a 2022Harvard Business Review study found that 67% of employees knowingly violated security policies, with 85% citingproductivity reasons. This tendency underscores the need for security solutions that integrate seamlessly into dailyworkflows without adding undue burden.
4.5 Psychological Factors Play a Role#
Under pressure, employees might view violating security rules as an acceptable risk. In their personal lives, theperceived lower stakes often lead people to neglect good security practices, falsely believing they are tooinsignificant to be targeted. If people aren't following best practices at work, they are even less likely to do so intheir private lives.
4.6 Credential-Based Attacks are on the Rise#
Identity-related breaches are a major concern, with a notable rise in credential-related phishing attacks. In 2022,there was a 61% spike in such attacks, with stolen credentials responsible for 50% of successful breaches according tothe Verizon Data Breach Investigations Report. Passwords, as a primary line of defense, are increasingly inadequate in ahighly interconnected world.
4.7 Rise of Remote Work and Digital Reliance#
The shift towards remote and hybrid work models, accelerated by the pandemic, has expanded the attack surface for cyberthreats. The increased reliance on digital technologies in both professional and personal spheres has made identityprotection even more critical. Phishing attacks exploit this expanded digital footprint, targeting individuals acrossvarious platforms and services.
4.8 Escalating Cyber Threat#
The frequency and sophistication of cyberattacks have surged in recent years. In 2022 alone, there were over 500 millionphishing attempts reported globally. The FBI's Internet Crime Complaint Center received nearly 60,000 phishing-relatedcomplaints, while the 2023 Thales Global Data Threat Report indicated that 41% of respondents observed an increase inphishing attacks. These statistics illustrate the pervasive and growing nature of the threat.
4.9 Reputational Damage and Trust#
Beyond the immediate financial and data losses, phishing attacks can cause severe reputational damage. Compromisedsensitive information can erode customer trust, leading to long-term repercussions for organizations. This aspect of thethreat landscape makes it crucial to adopt comprehensive security measures that safeguard both internal data andexternal user information.
4.10 Increasing Number of Data Breaches#
The number of data breaches has surged, revealing vast amounts of sensitive information about victims. This exposed datasignificantly improves cybercriminals' ability to target individuals and organizations with precision. Personal detailsobtained from breaches are often sold on the darknet, allowing attackers to craft highly convincing phishing attempts.This increased personalization raises the success rate of these attacks.
According to Check Point are these the top phishing brands for Q1 2024. During the first quarter of 2024, Microsoftremained the most imitated brand in phishing attacks, representing a significant 38% of all brand phishing attempts.Google moved up to the second spot, accounting for 11% of these attacks, a slight increase from its previous third-placeposition. LinkedIn also experienced a rise, reaching the third place with 11% of phishing attempts, marking a notableincrease from the previous quarter.
| Rank | Brand | Frequency | Passkey Rollout |
|---|---|---|---|
| 1 | Microsoft | 38% | ✅ |
| 2 | 11% | ✅ | |
| 3 | 11% | ✅/❌ Partial rollout only | |
| 4 | Apple | 5% | ✅ |
| 5 | DHL | 5% | ❌ |
| 6 | Amazon | 3% | ✅ |
| 7 | 2% | ❌ | |
| 8 | Roblox | 2% | ✅ |
| 9 | Wells Fargo | 2% | ❌ |
| 10 | Airbnb | 1% | ❌ |
Many of these companies, who obviously have to deal a lot with the problems associated with phishing, have already orare planning to roll out passkeys as a counter measure. From the list of the top ten, 60% have already fully orpartially rolled out passkeys. Moreover, we know from Facebook and Airbnb that they are actively working on theirpasskey rollout. Only DHL and Wells Fargo have not indicated a direct passkey rollout but sooner or later they willfollow the move of other top-phishing-target brands.
5. Why are Passkeys Phishing-Resistant#
Passkeys offer a robust solution to the problem of phishing. Here’s why they are inherently phishing-resistant:
5.1 Binding to Origin (Relying Party ID)#
Passkeys are tied to the specific origin (i.e., the Relying Party ID) of the service (Relying Party). During theauthentication process, the service provides a challenge that is signed by the user’s private key. The service thenverifies the signature using the corresponding public key, ensuring that the authentication occurs with the correctorigin. A phishing site cannot replicate this origin-specific challenge-response process.
Importantly, users cannot voluntarily give away the passkey to a malicious website. Sharing passkeys across differentRelying Party IDs is not possible within the WebAuthn protocol. Additionally, exposing the private key is not feasibleas it is stored inside a hardware security module (HSM). Therefore, even if a user wanted to use their passkey on anunauthorized site, it would not be technically possible.
Passkeys use public key cryptography, which means that each passkey consists of a public and a private key. The private key remains securely stored on your device, while the public key is shared with the server. When you attemptto authenticate, your device uses the private key to sign a challenge sent by the server. This signature is thenverified using the public key. Since the private key never leaves your device and cannot be intercepted or phished,this method eliminates the risk of phishing attacks.
5.3 Elimination of Common Phishing Vectors#
Unlike passwords, passkeys cannot be written down or accidentally shared. They are bound to your devices and cannot be stolen through fake websites or phishing emails. When you use a passkey to sign in, it proves to theservice provider that you have access to your device and can unlock it. This dual proof ensures that passkeys protectyou against phishing and mishandling, such as reusing passwords or exposing them in data breaches.
5.4 Device-Specific Security#
Passkeys are created uniquely for a passkey provider and account, making them extremely difficult to phish. Forexample, when signing in to your Google account with a passkey, the authenticator ensures the signature is only valid forGoogle websites and apps, not for malicious intermediaries. This means you don't need to be overly cautious about whereyou use your passkey, unlike with passwords or SMS verification codes.
5.5 Unique Passkeys for Each Account#
Each passkey is tied to a single account, eliminating the risk of reuse across different services. This prevents adata breach in one account from compromising others. Your accounts remain secure, and the risk of credential phishing issignificantly reduced.
Ben Gould
Head of Engineering
I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.
3,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.
5.6 Secure Cross-Device Authentication#
When signing in on a new device, you might scan a QR code displayed on that device using your phone. This process verifies the proximity of your phone using a Bluetooth message and establishes an end-to-end encrypted connection.The phone then delivers a one-time passkey signature, which requires your biometric or screen lock approval. The passkeyitself and screen lock information are never sent to the new device, ensuring secure authentication.
5.7 User Interaction is Required#
Passkey authentication typically involves some form of user interaction, such as biometric verification (fingerprint, face recognition) or a PIN on the user’s device. This step confirms the user’s presence and furtherprotects against automated phishing attacks or compromise of the users operating system.
5.8 Compliance with NIST Guidelines#
NIST (National Institute of Standards and Technology) recognizes synced passkeys as phishing-resistant according totheir guidelines. This endorsem*nt underscores the effectiveness of passkeys in protecting against phishing, especiallyin an environment where a significant number of breaches are caused by weak or stolen passwords.
Passkeys offer a compelling combination of security and convenience, making them a powerful tool against phishingattacks. By eliminating the need for passwords and leveraging strong cryptographic principles, passkeys provide aphishing-resistant authentication method that enhances both user experience and security.
6. Conclusion: Passkeys & Phishing#
Phishing remains one the most dangerous threat to online security, exploiting the weakest link – human behavior.Traditional authentication methods, such as passwords and SMS-based 2FA, are increasingly inadequate in protectingagainst these sophisticated attacks. Passkeys, with their origin binding, leverage of public key cryptography andelimination of shared secrets, provide a robust defense against phishing.
By understanding the nature of phishing, the type of phishing methods that exists and the vulnerabilities of traditional methods to phishing, it becomes clear that passkeys offer a much-needed solution to prevent phishing. Passkeys are phishing-resistant and as we continue to see a rise in cyberattacks, adopting passkeys is a crucial step toward enhancing security for both individuals and organizations.
For developers and product managers, implementing passkeys not only boosts security but also improves user experience bysimplifying the authentication process.
