Home A Company’s Incorrect Passkey Process Can Lead to Phishing Attacks

A Company’s Incorrect Passkey Process Can Lead to Phishing Attacks

user profile picture iSecurityGuru Dec 28, 2022
placeholder image

As I wrote in Part 1 of this series,

Unlike passwords, passkeys are resistant to phishing attacks. Built into the passkey’s cryptographic protocol, the domain of the website you are logging into will be checked. You cannot be phished with passkeys.

But unfortunately, I am already seeing an example of a companies implementing passkeys in a way that is not intended to be. The outcome of such negligent implementation of passkey is that it will no longer be phishing resistant.

Incorrect implementation

First, let’s see an example of how, in my estimation, a company implements its passkey incorrectly and puts you at risk. If you go to on your computer’s web-browser, and click on the “Login” link. Then select the fingerprint icon to start the passkey login:

Then you take out your smartphone and aim it at the QR code:

At the bottom of the QR code, you will notice a yellow label.

Tapping on the yellow label will invoke the web-browser to open a webpage ( on your smartphone. Then you follow the prompts on that webpage to log in using passkeys.

Carnival’s website will show this as it waits for you to log into that webpage via passkey on your smartphone:

Once you have successfully logged in via passkey on your smartphone, you will be logged into Carnival’s website on your computer.

The rest is exclusive content for members

Curious about what being a member offers? Sign up now for a risk-free trial and get a sneak peek into the premium content, features, and perks awaiting you on the other side.


Top Comment

Another Mis-implementation That Peeve Me Off
One of the websites now allow me to log in with passkeys. So, I set it up with passkey authentication....
Anonymous Author by isecurityguru
Image | The Grow Network

The Grow Network

Learn more
Image | Hard Assets Alliance

Hard Assets Alliance

Learn more