Of course everything can be hacked. When I think something is compromised, then I need to change everything. So far I didn’t heard of any remote zero click compromise. With the fancy hacking tools of some companies, its not publicly known how they gained access. I suspect either physical access or some malware.
But we are speaking on a high level of hacking, that most people don’t need to be scared off. At that level, there are other things to worry about.
When we just look at the dangers an average person might encounter, this level of security is fine. I do had accounts compromised and I can exactly tell what my mistake was. One was sharing my password with someone else and not knowing how secure his devices where and not having 2FA. The second one was that I used the same password everywhere. At this point I was switching to generated passwords and still didn’t had every account changed (the unimportant ones).
Of course Passkeys are by nature a more secure implementation, as you are unable to save plaintext passwords but there is one thing that this can’t solve and that’s being that they remove and reset your auth, without verifying your identity. Hackers still can steal session tokens and sites don’t need to require additional authentification, when altering your authentification.
Of course everything can be hacked. When I think something is compromised, then I need to change everything. So far I didn’t heard of any remote zero click compromise. With the fancy hacking tools of some companies, its not publicly known how they gained access. I suspect either physical access or some malware. But we are speaking on a high level of hacking, that most people don’t need to be scared off. At that level, there are other things to worry about.
When we just look at the dangers an average person might encounter, this level of security is fine. I do had accounts compromised and I can exactly tell what my mistake was. One was sharing my password with someone else and not knowing how secure his devices where and not having 2FA. The second one was that I used the same password everywhere. At this point I was switching to generated passwords and still didn’t had every account changed (the unimportant ones).
Of course Passkeys are by nature a more secure implementation, as you are unable to save plaintext passwords but there is one thing that this can’t solve and that’s being that they remove and reset your auth, without verifying your identity. Hackers still can steal session tokens and sites don’t need to require additional authentification, when altering your authentification.