With the passkeys feature, more and more tech companies are offering a more secure alternative to passwords. The Fraud Helpdesk even claims that it is the best protection against phishing. This is incorrect, as passkeys are not resistant to all forms of phishing. That requires a combination of security measures. Thus, people's role in protecting their own data or that of their employer is covertly underestimated.
Of course, it is true that passkey technology is potentially more secure than the use of passwords. If only because people still use the same, often easily cracked password on multiple websites and applications.
Some cybercriminals tempt people via a phishing email to click on a malicious link that supposedly takes them to their bank's website, for example. And when they log in here, cybercriminals can easily store the login details.
With passkeys technology, authentication is more secure: people can log in by clicking on a login confirmation message, a swipe pattern or checking a fingerprint via their own smartphone or another device. That alone makes it a safer alternative to password use and multi-factor authentication involving generated keycodes or SMS messages.
But cybercriminals apply phishing in different ways. Take Business Email Compromise (BEC) attacks, for example. In this form of social engineering, a cybercriminal poses in an email as a company's CEO or HR manager who supposedly has an urgent request. For example, to share important information or deposit an amount of money into an account number.
By making things like the e-mail address, sender, subject and tone of voice as realistic as possible, they manipulate their victims. And against these kinds of phishing emails, passkeys technology offers no protection.
In short, people should not only rely on technology such as passkeys, but also have knowledge about and be aware of cybercriminals' tactics in order to behave safely. This is the only way to reduce the chances of cybercriminals being able to make their move.