Passkeys Are So Hot Right Now (And For Good Reason) ★ Asteros

If you’ve checked your inbox lately, you’ve probably seen it: “Passkeys are now live.”

HealthEquity. Swan Bitcoin. Google. Apple. Everyone is jumping on board. Passkeys are suddenly everywhere, and I’m thrilled about it.

I’ve been a fan of this technology since long before it was a buzzword. Back in 2018, Google shared that not a single employee had been successfully phished after adopting hardware security keys. Brian Krebs covered it, and the takeaway was clear: phishing resistance wasn’t just a dream. It was proven and effective.

At the time, though, few companies wanted to be first. Deploying security keys meant retraining users, rethinking login flows, and justifying costs to leadership that didn’t fully grasp the risk. For years, this technology stayed mostly in the realm of security-conscious engineers, big tech companies, and a handful of determined weirdos like me.

Now, passkeys, which are built on the same FIDO2 standard, are mainstream. They work across devices, sync securely through your phone or password manager, and make phishing effectively useless. When you sign in with a passkey, there is no password to steal, no SMS code to intercept, and no fake login page that can trick your employees.

And that’s not a sales pitch, it’s just the cryptography at work. Each login uses public-key authentication bound to the site’s domain. If the domain doesn’t match, the authentication fails. No “Oops, I clicked the wrong link” moment can compromise an account.

I mainly work in offensive security, doing web app and network penetration testing, vulnerability management, and even the occasional red team project. But one of my favorite projects over the past few years wasn’t about breaking in. It was helping a nonprofit I was advising harden their defenses.

For some reason, this nonprofit was a huge target. They received more phishing emails than I typically see even at large companies. And these weren’t lazy, generic scams. They were highly targeted, often tailored to the specific person receiving the email, and used the latest techniques to dodge filters and land right in their inboxes.

We started with awareness training and improved email filtering, but the real turning point came when they adopted hardware security keys organization-wide. This move dramatically reduced their overall risk. The phishing emails still came, but the credential-stealing attacks just stopped working. Their most critical accounts, like their email, website, and donor management systems, were now protected. Even if an employee clicked a link, the phishing site simply couldn’t get past the hardware key. Login alerts dropped. It took their single biggest threat right off the table.

They’ve benefited from the same protection Google saw seven years ago. They just did it before it was trendy.

Passkeys are hot right now, and they should be. They represent one of the few authentication technologies that actually tips the scales away from attackers and back toward users.

If your organization is still relying on passwords and SMS-based MFA, now is the time to move. Attackers have gotten too good, and phishing is too easy. Passkeys take much of that class of attacks off the table.

Passkeys Are So Hot Right Now (And For Good Reason)

From Data Breach to Physical Harm: The Rise of “Violence-as-a-Service”

“Smishing”—an Emerging Threat

Scam Alert! Beware of Fake Calls Claiming to Be from Asteros

Similar Posts