Hello followers! Today, I’m diving into a hot topic in tech security — passkeys and the recent claims about their flaws. Let’s break down what’s real and what’s hype.

Recent research by SquareX has claimed they found a “major passkey vulnerability” that supposedly undermines the security promises of big tech companies like Apple, Google, and Microsoft. However, many experts argue that this research misinterprets how passkeys work and the kind of threats they protect against.

At its core, passkeys are cryptographic keys made up of a public-private pair, designed to authenticate users without passwords. The private key stays on your device, and the public key is stored on the service’s server. When you log in, your device signs a challenge with the private key, and the server verifies the signature using the public key. This process is fast, secure, and resistant to phishing because the keys are bound to specific domains.

The controversy arose when the researchers demonstrated an attack using malicious browser extensions that hijack the process of creating a passkey. Critics say this is not a flaw in passkeys themselves but a consequence of malware changing the registration process—something passkeys were never designed to prevent if the device itself is compromised.

Security experts highlight that passkeys are built according to the FIDO specifications, which assume the device and its environment are trustworthy during authentication. If malware infects the device or browser, passkeys can’t thwart that threat — just like other security measures. This isn’t a failure of passkeys but an expected limitation of endpoint security.

Some argue that the research conflates malware-based registration hijacks with the theft of existing passkeys. The latter remains highly secure with current standards. Additionally, the FIDO protocol specifically states that its security model doesn’t protect against malware running on the device, implying this isn’t a vulnerability unique to passkeys.

While the hype might suggest passkeys are fundamentally broken, the consensus among security pros is that they still offer a significant security advantage over passwords, especially against phishing and credential leaks. As always, no system is invulnerable if the device itself is compromised — it’s crucial to keep devices secure and up-to-date.