As I wrote in Part 1 of this series,
Unlike passwords, passkeys are resistant to phishing attacks. Built into the passkey’s cryptographic protocol, the domain of the website you are logging into will be checked. You cannot be phished with passkeys.
But unfortunately, I am already seeing an example of a companies implementing passkeys in a way that is not intended to be. The outcome of such negligent implementation of passkey is that it will no longer be phishing resistant.
Incorrect implementation
First, let’s see an example of how, in my estimation, a company implements its passkey incorrectly and puts you at risk. If you go to carnival.com on your computer’s web-browser, and click on the “Login” link. Then select the fingerprint icon to start the passkey login:
Then you take out your smartphone and aim it at the QR code:
At the bottom of the QR code, you will notice a yellow label.
Tapping on the yellow label will invoke the web-browser to open a webpage (passwordless.carnival.com) on your smartphone. Then you follow the prompts on that webpage to log in using passkeys.
Carnival’s website will show this as it waits for you to log into that webpage via passkey on your smartphone:
Once you have successfully logged in via passkey on your smartphone, you will be logged into Carnival’s website on your computer.
by isecurityguru 
