Passkeys Finally Work Now What

The quiet passkey tipping point

Somewhere in the last year, passkeys stopped being a thing enterprises talked about adopting "next quarter" and started being a thing their workforce was quietly already using. Cross-platform sync works. Recovery flows mostly work. The "what if my phone dies" question has a real answer. Major SaaS vendors default to passkey-first sign-in.

The interesting part is not the technology. It is what happens to your threat model when password phishing stops being the top story on every incident report.

Phishing adapts faster than checklists

Attackers do not disappear when credentials get harder to steal. They shift. In the last six months we have seen a visible move toward:

• Session-cookie theft via infostealers on endpoints passkeys do not protect
• OAuth consent phishing against passkey-authenticated accounts
• "Help desk" social engineering targeting recovery and device-enrollment flows
• Passkey-adjacent MITM attacks against older WebAuthn flows missing appropriate attestation
• Lateral movement through SSO once a single high-value account is compromised

None of these require breaking passkeys. They route around them.

The new weak link is device enrollment

When your authentication can't be phished from the browser, the attack surface collapses onto the places where passkeys get created: new-device enrollment, lost-device recovery, IT help desks, and backup authenticators. Those flows were an afterthought when passwords dominated. They are the main event now.

Practical questions to audit:

• How does a user enroll a new passkey, and what proofs are required?
• What happens when a user claims they lost their only device?
• Which staff can reset or bypass passkey requirements, and is that path logged?
• Does the help desk require video, callback, or in-person verification for high-risk accounts?
• Are recovery codes stored somewhere a session-stealing infostealer can find?

The answer to most of these in a typical environment is "we never specified, we inherited whatever the vendor provides."

Session tokens are still plaintext

Passkeys prove you are the right person at login. After that, most applications hand out a session token that moves around like any other bearer credential. Endpoint malware that steals cookies does not care how fancy the login was.

Short-lived session tokens, device-bound sessions (via WebAuthn's requireUserVerification on sensitive actions, or token-binding equivalents), and aggressive revocation after suspicious signals are where the real 2026 hardening lives.

What to actually do

• Enable passkeys on every account that offers them, but treat that as a foundation, not a victory lap
• Rewrite the device-enrollment and recovery runbooks as if they are the primary attack surface
• Monitor for session-token theft separately from authentication anomalies
• Require step-up verification for high-risk actions, not just login
• Remove password fallback paths once passkey coverage is high enough

The short version: passwords are finally losing. The adversary has already moved. Make sure your defenses moved too.

Source note

This field note reflects trends across the FIDO Alliance deployment data, public breach disclosures from 2025-2026 involving session-cookie theft on passkey-protected accounts, and ongoing WebAuthn Level 3 work in the W3C Web Authentication WG.