Incorrect passkey implementation

How incorrect implementations of passkeys can lead to phishing attacks

As I wrote in Is there a better password-killer technology than Passkey?,

Unlike passwords, passkeys are resistant to phishing attacks. Built into the passkey’s cryptographic protocol, the domain of the website you are logging into will be checked. You cannot be phished with passkeys.

But unfortunately, I am already seeing an example of a company implementing passkeys in a way that is not intended to be. The outcome of such negligent implementation of passkey is that it will no longer be phishing resistant. So, I am calling out this company in this article.

Incorrect implementation

First, let’s see how that company implement passkey incorrectly. On your computer’s web-browser, go to and click on the “Login” link. Then select the fingerprint icon to start the passkey login:

Then you whip out your smartphone and aim it at the QR code:

At the bottom of the QR code, you will notice a yellow label. Tapping on the yellow label will invoke the web-browser to open a webpage ( on your smartphone. Then you follow the prompts on that webpage to log into that webpage using passkeys.

Carnival’s website will show this as it awaits you to log into that webpage via passkey on your smartphone:

Once you have successfully log in via passkey on your smartphone, you will be logged into Carnival’s website on your computer.

What is wrong with Carnival’s implementation?

Subscribe to continue reading

Become a paid subscriber to get access to the rest of this post and other exclusive content.