Passkeys Are Progress, But They’re Not Protection Against Everything
The cybersecurity community is embracing passkeys as a long-overdue replacement for passwords. These cryptographic credentials, bound to a user’s device, eliminate phishing and prevent credential reuse. Major players, like Google, Apple, Microsoft, GitHub, and Okta, have made passkey login widely available across consumer and enterprise services.
Adoption isn’t limited to tech platforms, either. In 2025 alone:
- The UK government approved passkeys for NHS and Whitehall services.
- Microsoft began defaulting to passwordless authentication for new users.
- Aflac, one of the largest U.S. insurers, enrolled over 500,000 users in its first passkey onboarding wave.
- The FIDO Alliance reported that 48% of the top 100 global websites now support passkeys, with more than 100 organizations signing public pledges to adopt them.
It’s a win on many fronts, but it doesn’t solve the identity problem. Authentication controls don’t matter if the device itself is already compromised, and that’s where infostealer malware continues to exploit a critical blind spot in the industry’s rush toward passwordless security.
Infostealers Don’t Break In, They Log In After You Do
Infostealers are lightweight malware designed to extract sensitive data from infected endpoints — no exploit required. Once installed, they collect:
- Browser-stored credentials
- Authentication tokens and session cookies
- Auto-fill and personal data
- Crypto wallets, system info, and more
The attacker doesn’t need your passkey or password. If your device is infected, they can hijack your authenticated session and access systems without ever touching a login page.
This method for stealing and reusing session artifacts is growing because it works. And in a passkey-enabled world, it’s often invisible to traditional defenses.
Real-World Data Shows the Risk Is Growing
In Constella’s 2025 Identity Breach Report, we tracked tens of millions of infostealer logs circulating across criminal markets in a single year. These logs often include session cookies and credentials tied to executive, developer, and admin accounts.
This isn’t speculative. These artifacts are actively traded, resold, and used to infiltrate corporate environments. And in many cases, organizations discover the breach only after the stolen data shows up for sale online.
Worse, the malware behind these logs is readily available as a service. Infostealers like Lumma, Raccoon v2, and RedLine are being deployed by low-skill attackers who no longer need phishing kits or password crackers. Just infect the device and extract what’s already there.
Passkeys Solve One Problem, But Leave Others Unaddressed
To be clear, passkeys are a powerful and necessary evolution. They eliminate phishing vectors and reduce the burden on users. But they assume the endpoint is secure, and increasingly, that assumption doesn’t hold.
If malware has access to the browser’s local storage or the filesystem where session tokens live, passkeys offer no protection. The attacker simply reuses the session token and bypasses authentication entirely.
This is the new frontier of identity-based attacks. And as more organizations adopt passkeys, device compromise and session hijacking will become the primary identity threats.
A Shift in Strategy: From Authentication to Identity Exposure
Organizations need to rethink their approach. Instead of focusing only on the login layer, security teams must assess whether the identities behind those logins have already been exposed. That starts with extending visibility beyond the perimeter.
1. Monitor for Identity Exposure in the Wild
Track stolen credentials, session cookies, and tokens showing up in infostealer logs and underground markets. These exposures are often the first sign of a compromise.
2. Harden Device Hygiene at the Edge
Endpoint protection and EDR tools remain critical, especially for remote users and unmanaged devices. Many infostealers are delivered through phishing attachments, malicious downloads, or cracked software.
3. Reduce Session Token Lifespan
Short-lived sessions limit attacker dwell time. Pair with device fingerprinting, geo-fencing, or re-authentication triggers to detect anomalous access patterns.
4. Link Exposure to Risk with Contextual Intelligence
The next step is understanding who is exposed, not just what credentials. This requires the ability to correlate disparate data points into a unified identity profile.
Bringing Risk Into Focus with Identity Intelligence
Constella’s Identity Risk Intelligence solutions enable organizations to surface hidden connections across exposed credentials, session artifacts, and real-world users. By stitching together breach, malware, and dark web data, we help security teams:
- Enrich identity risk scoring with real-world exposure signals
- Link consumer and corporate identities
- Prioritize high-risk individuals based on context, not guesswork
This kind of visibility helps answer questions that authentication tools can’t. When a credential is exposed, is it tied to one of your developers? An executive? An unmanaged personal device accessing corporate systems?
That context makes the difference between an alert and an urgent response.
Final Thought: Passkeys Are a Start, Not a Solution
We’re moving in the right direction. But the rise of passkeys shouldn’t create a false sense of security. Threat actors have already adapted. They no longer need to steal credentials; they’re quietly collecting access.
Device-level compromise, not credential theft, is becoming the dominant driver of identity risk.
And if your defenses stop at the login screen, you’re not securing the full picture.
Because in today’s threat landscape, it’s not about how strong your passkey is — it’s about whether your session is already in someone else’s hands.
Want to assess your organization’s identity exposure?
Request a threat exposure report from Constella to see if your employees’ credentials or session tokens have been compromised — and learn how identity risk intelligence can close the gap.
