The Power of Passkeys in the Age of Cybercrime

You’re at your desk, coffee in hand, when your phone rings. It's your CEO. The voice is familiar and the request urgent: “Wire $500,000 to this new vendor now. I’ll explain later.”  

What do you do?  

In the background, an automated service quietly processes billing for thousands of customers - when suddenly, chaos erupts. Except, no one knows about it for weeks. Meanwhile, you get three more calls from your CEO, which gets transferred to voice mail.  

The next month, reports of a data leak rock your company, and the incident is splashed across every major newspaper.  

Not familiar with this scenario? If so, count yourself lucky. Today, credential phishing is Ground Zero for modern identity based attacks, and if you stay with us, we’re going to reveal how passkeys can help you fight back.  

But first, let’s answer an important question. 

What is credential phishing and how common is it? 

Credential phishing is an identity based attack, where attackers impersonate a trusted source (like your CEO or banker) to trick you into sharing your login credentials. In 2024, credential phishing saw a 703% increase, far outpacing other forms of phishing. 

Attackers now leverage AI to create deepfake audio/video calls, text messages, and emails to execute mass credential theft campaigns. 

Today, identity based attacks target both human and non-human identities (NHI). The latter includes service accounts, API keys, and OAuth tokens. 

Once they have these credentials, attackers can use them to make lateral movements, process unauthorized transactions, and exfiltrate sensitive data. 

The best strategies against such attacks include the use of FIDO2 compliant passkeys or hardware security keys and the implementation of least privilege access for service accounts. 

The digital heist most people don’t see coming 

The deepfake CEO scam: How credential harvesting works in the age of AI 

Still unsure about wiring the money, you fire off a quick message to your manager. They urge you to hold off while they investigate.  

The next day, you learn that the calls and text messages were part of an elaborate scam targeting you (and several other staff members).  

You heave a sigh of relief. That was a close one. 

However, a finance worker at a multinational firm wasn’t so lucky.  

The employee was initially wary of the email they received. However, they put aside their initial doubts after attending what appeared to be a video conference call with the company’s UK-based chief financial officer and other colleagues. 

Over several transactions, the employee wired more than $25.6 million to the attackers. 

The scam, powered by AI and deepfake tech, shows just how vulnerable even the sharpest employees can be when trust is weaponized across multiple channels.  

The age of multi-channel phishing is here, and it’s expensive.  

And it’s not just about money lost. It's about shattered trust, damaged reputations, and the sobering realization that AI can be weaponized against anyone.  

The silent sabotage: How attackers target machines 

Still, it isn’t just human identities you need to worry about; machine identities are the next wave, creating a whole new frontier of risk you can’t afford to ignore. 

So, how do attackers hijack machine identities? 

Imagine your development team is working on an Android app that integrates with a cloud storage service like AWS S3. 

The team stores backup copies of their raw source code (the instructions that make the app work) in an S3 bucket. Think of the S3 bucket as a kind of virtual folder. It can store any type of file, document, or in this case, source code.  

To allow the app access to the S3 bucket, the team creates an AWS IAM (identity & access management) credential and hardcodes it directly into the Java source code.  

Meanwhile, a new member of the team accidentally uploads the code containing the machine credentials to a public GitHub repository.  

Within hours, automated scanners monitoring GitHub for exposed secrets detect the IAM credential. An attacker grabs it and quickly pivots. 

• They use the stolen AIM credentials to access your company’s S3 bucket. 

• Next, they download source code from the S3 bucket. 

• If the credentials have broader permissions, they transfer sensitive customer PII (name, address, payment method), internal documents, and other intellectual property to their own servers. 

No alerts are triggered because the attackers are using valid credentials. 

And the leak goes unnoticed for weeks. When news breaks that your company’s source code and customer data were leaked, your company must navigate regulatory penalties, financial losses, and a damaged brand.  

Stopping your next security breach: Identity security with LastPass 

What cybercriminals target: People first, machines second 

Did you know that 95% of data leaks start with a human? 

Meanwhile, 94% of malware is sent through phishing emails, exploiting ingrained human trust and behavior.  

With human identities as the most targeted attack vector, we’re laser-focused on offering a solution that prioritizes both the user experience and security. 

Here’s how: Using passkeys means your login credentials aren’t passwords that must be entered manually.  

So, even if you land on a fake (phishing) site, your passkey simply won’t work there. It’s bound ONLY to the real website and your device. Attackers can’t intercept, replay, or reuse a passkey, rendering credential phishing attacks powerless.  

But what about machine identities? While tools like Okta Privileged Access excel at securing them, human identities are the primary entry point for hackers targeting small and medium sized businesses (SMBs).  

If you have a small business, it’s 3X more likely to be targeted than an enterprise. And the easiest, fastest way into your business is through your team’s identities: stolen passwords, phished login credentials, and weak multi factor authentication. 

Take, for example, the SolarWinds attack. Attackers first gained entry through compromised credentials. Then, they secretly added malicious code (the SUNBURST backdoor) to the SolarWinds Orion software build system.  

Finally, they used a legitimate SolarWinds code-signing certificate to make a software update trustworthy to customers, who then downloaded it without question.  

A code-signing certificate is a type of machine credential used to verify a software’s authenticity and integrity (indicating no alterations were made after signing).  

Because the attackers used a legitimate certificate, no one was the wiser. 

As a result, the backdoor gave attackers access to multiple customer networks.  

This is a textbook case of how compromised human credentials often precede machine identity abuse.  

At LastPass, our focus is ensuring that such attackers never get past your first line of defense: your team.  

Passkeys allow you to protect the human layer, so hackers never reach your machines. Ultimately, protecting your business at the source means protecting your entire network. 

This leads us to a question many have asked. 

How do passkeys work if you have multiple devices? 

With LastPass, you can enable passkeys under “Save and use passkeys” in your account settings. 

Once enabled, you can create, store, and manage passkeys directly in your LastPass vault on browsers like Chrome and mobile apps for iOS and Android. 

Here's how it works: When you visit a site that supports passkeys, you can log in automatically by selecting the passkey option in the LastPass pop-up window. 

Storing your passkeys in LastPass also gives you cross-device access. This means you can use your passkeys on any device when you’re signed into your vault.  

With LastPass, your passkeys sync automatically with your vault, making every login seamless. 

Ultimately, passkeys provide passwordless, phishing resistant authentication that is far more secure than traditional MFA.  

But what if you or your employees still prefer the password username combo? After all, only 12% of the world’s top 250 websites support passkeys.  

If so, take no chances with your security. LastPass gives you military-grade AES-256 encryption and secure autofill to protect your business credentials from phishers and keyloggers. What’s more, you can store more than credentials in LastPass. 

Check out what else you can keep safe in your vault under Secure Notes or by creating custom Secure Note templates. 

Whether you’re using passkeys or passwords, protect your human firewall today with a free LastPass Business trial (no credit card required).  

I love that LastPass allows you to create shared passwords with Teams, that it has maximum provisioning features, audit trails, the mobile app is a lifesaver, that you are able to export your passwords to a .CSV file, and so many more features. I've used LastPass since before the Heartbleed attack in 2014 and it was the site that the U.S. Department of Defense had everyone go to in order to confirm whether or not a particular site had been patched after Heartbleed, which was the single largest internet attack since the inception of the internet. I've been using LastPass [for] that long and wouldn't change it for anything. The price point is perfect (Anne C, small business owner on G2).