Back to the journal
IT-Security May 2026

Passkeys: sign-in that cannot be phished

Passkeys replace passwords with a cryptographic key pair. The private key never leaves your device, and the sign-in is bound to the real domain. This makes phishing technically impossible.

A phishing attack always starts with a password or a one-time code.

An employee receives an email that looks like a notification from their cloud service provider. They click the link, land on a convincing fake login page, and enter their password. The attacker forwards the credentials to the real service in real time and is in. Even someone who enters a one-time code from an SMS or authenticator app is not safe. The attacker intercepts the code and forwards it as well. This pattern is called real-time phishing or adversary-in-the-middle. It bypasses any classic two-factor authentication that relies on a shared secret.

The problem runs deeper. Passwords and one-time codes are both secrets that the server knows and that the user transmits. Whoever intercepts that transmission wins. IT security has long tried to solve this with increasingly complex password rules. That has not stopped attacks. It has only increased user frustration.

Passkeys replace the password with a key pair that stays on your device.

A passkey consists of two parts: a private key and a public key. The private key is generated on your device and never leaves it. It resides in a secure environment called the authenticator. This can be the secure chip in your smartphone, your laptop, or an external hardware security key. The public key is sent to the server of the service you want to sign in to.

When you sign in, the following happens: The server sends a cryptographic challenge to your device. Your device signs this challenge with your private key. The signature is sent back to the server. The server verifies the signature with your public key. If it matches, you are signed in. No password is ever entered or transmitted.

To prevent anyone who picks up your device from signing in, the private key is protected by a local user verification. This is typically your biometrics (fingerprint or face recognition) or your device PIN. This verification happens only on your device. The server never learns about it.

Phishing resistance comes from binding the key to the real domain and from asymmetric cryptography.

The critical difference to passwords and one-time codes is origin binding. When a passkey is created, the private key is linked to the internet address (the origin) of the service it is intended for. Your device remembers: this key belongs to "example.com". If you land on a fraudulent site called "examp1e.com", your device will not release the private key. The domain does not match. The attack stops here.

Asymmetric cryptography adds another layer. The server only holds your public key. It can use this key to verify that a signature came from your private key. But it cannot derive your private key from it, nor can it use the public key to sign in to a different service. Even if an attacker compromises the server and steals all public keys, they gain nothing. They cannot impersonate you.

One-time codes and passwords are symmetric secrets. The server knows them and must compare them with what the user sends. Anyone who eavesdrops on that communication obtains the secret. With passkeys, there is no secret that is transmitted. There is only a signature that is worthless without the private key.

Rolling out passkeys in an organization is an organizational task, not a pure technology question.

The technology is mature. The FIDO2 and WebAuthn standards are implemented by all major platforms (Apple, Google, Microsoft). The challenge lies in planning. Three factors decide the success of a rollout.

First, recovery. What happens when an employee loses their smartphone? The private key is gone. Without a plan, the employee cannot sign in anymore. The solution is synchronized passkeys. Here, the private key is encrypted and backed up in the device manufacturer's cloud (iCloud, Google Password Manager). The employee can authenticate on a new device with their cloud account and restore the key. For critical accounts, such as administrator access, we recommend additional device-bound passkeys on hardware security keys. These keys never leave the USB stick and offer the highest security level.

Second, device loss. A hardware security key can be lost. Companies need a process to revoke the lost key and issue a replacement. This requires key management and a clear ownership within the team.

Third, the rollout sequence. We recommend starting with a small, tech-savvy group. This group tests the passkeys in daily use and identifies problems before the rollout is extended to the entire workforce. In parallel, the old password method should remain active for a while to avoid outages. The transition is a process, not a button push.

Our position: Passkeys are the only path to phishing-resistant authentication at scale.

At Mountain Road, we consider passkeys the most important advance in authentication in decades. Classic MFA with SMS or one-time codes only creates a false sense of security. It does not stop an attacker who surfs along in real time. Passkeys do. They make phishing of the sign-in process technically impossible.

The rollout requires discipline and thoughtful organization. But the effort is worth it. Any organization that switches to passkeys today eliminates an entire class of attacks. This is more than an upgrade. It is a paradigm shift. We help organizations make this transition, from designing recovery processes to integrating with existing identity platforms. Because security is not a product you buy. It is a practice you design.

Frequently asked questions

What are passkeys?

Passkeys are a passwordless sign-in method based on a cryptographic key pair. The private key stays on your device, the public key is stored with the service provider. During sign-in, no secret information is transmitted, only a cryptographic signature.

Why are passkeys phishing-resistant?

Passkeys are bound to the real internet address (origin) of the service. Your device releases the private key only for the domain it was created for. If you land on a fraudulent site, your device refuses to release the key. Additionally, asymmetric cryptography ensures the server only holds the public key, which cannot be used to sign in elsewhere.

How do you roll out passkeys in an organization?

The rollout requires planning in three areas: recovery after device loss (synchronized passkeys or hardware security keys), key management, and a phased rollout. We recommend starting with a small pilot group and keeping the old password method active in parallel until passkeys work reliably in daily use.