Incorrect passkey implementation

How incorrect implementations of passkeys can lead to phishing attacks

As I wrote in Is there a better password-killer technology than Passkey?,

Unlike passwords, passkeys are resistant to phishing attacks. Built into the passkey’s cryptographic protocol, the domain of the website you are logging into will be checked. You cannot be phished with passkeys.

But unfortunately, I am already seeing an example of a company implementing passkeys in a way that is not intended to be. The outcome of such negligent implementation of passkey is that it will no longer be phishing resistant. So, I am calling out this company in this article.

Incorrect implementation

First, let’s see how that company implement passkey incorrectly. On your computer’s web-browser, go to carnival.com and click on the “Login” link. Then select the fingerprint icon to start the passkey login:

Then you whip out your smartphone and aim it at the QR code:

At the bottom of the QR code, you will notice a yellow label. Tapping on the yellow label will invoke the web-browser to open a webpage (passwordless.carnival.com) on your smartphone. Then you follow the prompts on that webpage to log into that webpage using passkeys.

Carnival’s website will show this as it awaits you to log into that webpage via passkey on your smartphone:

Once you have successfully log in via passkey on your smartphone, you will be logged into Carnival’s website on your computer.

What is wrong with Carnival’s implementation?


Exclusive Content

To read the rest of this exclusive content, you need to sign up for a membership plan here for only $1.49/MONTH.

If you are already a member, please sign in here.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

FREE: Top 10 Things You Must Do to Avoid Getting Hacked

Subscribe to our Cybersecurity News, Insights & Updates to get this FREE guide on how to avoid getting hacked!

* indicates required