Passkeys provide strong authentication via WebAuthn and asymmetric cryptography, but they don't make the entire application secure. Once a user authenticates, the session typically falls back to a cookie, leaving traditional attack vectors like XSS, CSRF, session hijacking, and malicious passkey registration still relevant. Defence-in-depth remains essential: strict Content Security Policy, Permissions Policy restricting publickey-credentials-create/get to self, properly configured session cookies (HttpOnly, Secure, SameSite, __Host- prefix), and requiring fresh authentication challenges for sensitive actions like fund transfers or credential changes.
Table of contents
What passkeys actually protectWhere the threat model shiftsDefence in depth!Read our whitepaperSort: