What if you could outsmart the world’s most wanted smishing criminals? With passkeys, you can.
But first, let’s tackle a question many people ask: Are passkeys and security keys the same? The answer is no. Passkeys are digital credentials stored on your device. Meanwhile, security keys are actual physical devices you must carry, like USB sticks. Both are built for safe, password-free logins.
Imagine this: a grandmother logs into her banking portal in Sydney with just one tap. No passwords, no security questions. Across the globe, a college student in New York City books a last-minute flight, breezing through the login screen in seconds. Meanwhile, a gamer in Tokyo unlocks their PlayStation account without SMS codes.
What’s their secret? It's called a passkey, and it’s what the world’s biggest brands are championing in a new era of frictionless authentication. This brings us to a very important question.
Can passkeys be hacked?
The silent FIDO2 protocols that make passkeys a cryptographic fortress
Passkeys are built on FIDO2 public key cryptography.
When you set up passkeys for a site, a cryptographic key pair is generated. One half of the pair is the public key, which is stored on the website’s server. The other is the private key, which lives on your device.
In collaboration with the World Wide Web Consortium (W3C), the FIDO Alliance released the FIDO2 standard in 2018.
It actually consists of two protocols: Web Authentication (WebAuthn) and Client to Authenticator Protocol 2 (CTAP2).
Both passkeys and security keys (like YubiKey) are built on the FIDO2 standard and provide password-free, frictionless logins.
With passkeys, you can authenticate with your face, fingerprint, or PIN.
What this means for you: If you use your face or fingerprint, your unique biometric authentication keeps your account safe.
This leads us to another question: If passkeys require your face or fingerprint to unlock, does it mean they’re 100% phishing proof?
Or is there a hidden flaw the experts aren’t telling us?
Below, we’re going to reveal what most people don’t know about the protocols behind passkeys - WebAuthn and CTAP2 – and why they hold the key to your online safety.
Are passkeys really phishing-resistant?
Most people think security is all about clever tricks to outsmart hackers.
But the real breakthrough lies in two protocols: WebAuthn and CTAP2.
Here’s what they do for you:
- WebAuthn: This protocol is used to enable communications between a website and authenticator through your browser. Supported authenticators include passkeys, built-in platform authenticators like Windows Hello and Touch ID, and hardware security keys like YubiKey. WebAuthn ensures your login is tied to the real website.
So, when experts say, “passkeys are phishing resistant,” this is what they mean: Even if a scam email or text message sends you to a fake site, your passkey won’t work there. It’s like trying to open a door with the wrong key.
This is due to the verifier name-binding mechanism, which means your passkey is “bound’ to the real site’s identity and can’t be used anywhere else.
Along with user vigilance, passkeys are a powerful deterrent against phishing and smishing attacks aimed at stealing your login credentials.
- CTAP2: This is the protocol that defines how external authenticators communicate with client devices like your smartphone, laptop, or desktop.
The supported external authenticators include smartphones acting as authenticators and any device that connects via NFC, USB, or Bluetooth (such as YubiKey).
While nothing in life is 100% perfect, passkeys are as close as it gets.
Passkeys are built so only YOU can use them. Your biometric data – used to unlock the private key - is never sent over the internet or stored on third-party websites. Even if attackers intercept the login process, they can’t get your face or fingerprint data.
But what happens if someone steals your phone? In that case, they would need to unlock your phone by guessing your PIN or somehow bypassing the biometric sensor. Either way, they have no access to your actual biometric data.
This means your money, memories, and data are safe, allowing you to surf the web without fear.
Are passkeys safer than text-based 2FA?
The tech that eliminates the human factor
Passkeys surpass text-based 2FA in both security and usability.
The cryptographic challenge-response process ensures only your device and unique biometric data can be used to verify your identity.
Meanwhile, SMS codes can be intercepted by attackers via attacks like SIM swapping.
Here’s how: A scammer walks into your carrier’s brick-and-mortar store. He's got your name, address, date of birth, and maybe even your Social Security number. With a little charm and a fake ID, he convinces the salesperson that he’s lost his phone. And then he asks if he can move your phone number to his new SIM card.
If the salesperson obliges, you lose control of your phone, and the scammer gets all your SMS authentication codes.
Although three major carriers – Verizon, AT&T, and T-Mobile – now have SIM or port out protections, passkeys can add an extra layer of defense.
With passkeys, there aren’t any codes to lose, even if scammers try to use social engineering on unsuspecting store clerks. Your device handles everything automatically. And even if attackers steal your phone number, they gain nothing. They have no access to your passkeys and can’t use them to log in.
What are the benefits of passkeys?
Security without sacrifice
Passkeys deliver both enhanced security and improved convenience. Each passkey is unique to a specific service, so a breach on one site doesn’t endanger any of your accounts elsewhere.
Passkeys also reduce password resets substantially.
Michigan’s MiLogin app, which allows 10 million+ users to securely access state government services, saw 1,300 fewer helpdesk calls for password resets in a single month. This was after enrolling 100,000+ customer devices with passkeys.
And even with 18,000+ new enrollments per month, the state of Michigan experienced zero issues with passkey-based logins.
Meanwhile, CVS Health experienced an unprecedented 98% reduction in mobile ATO (account takeover) fraud after switching to passkeys for over 10 million users.
User experience reimagined
User adoption is soaring: Almost 70% of consumers have activated passkeys on at least one of their accounts, and 15 billion accounts are now passkey-enabled.
Here's why: Passkeys enable faster, more reliable logins.
Microsoft says logins are up to 3X faster than with passwords. Meanwhile, TikTok users say signing in with passkeys is 17x faster, while Amazon users say it’s 6x faster.
This seamless experience is driving passkey adoption across ecommerce, banking, and travel sites.
Ecommerce
- PayPal, eBay, Amazon, Walmart, Best Buy, and other ecommerce companies were early adopters of passkeys.
- Almost 50% of consumers have increased trust in brands that offer passkey-based logins.
- Abandoned carts cost ecommerce businesses $136 billion annually. Passkeys enable 4X more successful logins, creating a frictionless user experience that increases sales.
Banking & financial services
- US banks like Wells Fargo are actively exploring or rolling out passkeys in 2025. Meanwhile, ANZ Bank looks set to be the first Australian bank to offer passkeys.
- ABANCA became Spain’s first financial institution to ditch passwords: 42% of its mobile banking users now authorize transactions with passkeys.
Travel & airlines
- Air New Zealand experienced a 50% reduction in login abandonment rates after implementing passkeys.
- Two-thirds of new KAYAK sign-ups choose passkeys, reducing sign-up and sign-in time by 50%.
Unlock dual security with LastPass: Embrace the future without letting go of the past
So, you’ve heard the news about passkeys.
But you aren’t quite ready to toss your passwords. Perhaps, your favorite sites haven’t caught up. After all, only 20% of the world’s top 100 websites support passkeys.
Or perhaps you feel more comfortable with the traditional username-password combo.
With LastPass, you don’t have to choose. You can have it BOTH ways.
You can have passwordless logins with passkeys or a hardware security key.
And you can have safe, lightning-fast logins with passwords.
With LastPass, all your passwords are secured with military-grade AES-256 encryption and your logins protected by smart autofill (which means your credentials are only filled on trusted, legitimate sites).
So, you get the best of both worlds – cutting edge passwordless security and phishing-resistant password protection.
What our customers are saying
All my passwords are kept safe, encrypted, and 2-factor authenticated, so I don't have to worry. I have hundreds of logins, and I have a different strong password for each, and I cannot imagine what it would be like to manage that on paper. I use it many times every day, both in my personal affairs and in my professional work as a teacher... Once they are in, I don't have to worry. I don't even think about passwords anymore (Aaron C, German teacher).
LastPass has allowed me to stop thumbing through pages of passwords I kept in a file folder whenever I needed to log in somewhere (KentJonesProductions, small business).
Ready to live life on your own terms? Get your 30-day free access to LastPass now (no credit card required).
- Access passwords anywhere, anytime
- Generate unique, strong passwords
- Autofill and share with one click
- Backed by expert threat intelligence
Subscribe for the latest from LastPass blog
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
