Application Security · Flashcard

Why can a passkey not be used on a phishing look-alike domain?

  • AThe authenticator checks the request origin against the stored relying-party ID and refuses a mismatch
  • BThe browser warns the user that the domain is unfamiliar and cancels the sign-in automatically
  • CThe passkey is encrypted with the real domain's TLS certificate, which the fake site lacks
  • DThe private key is emailed to the registered address, so a look-alike site never receives it

Why this is the answer

The authenticator only signs when the requesting origin matches the passkey's stored RP ID, so a look-alike domain gets no valid assertion. It is not a heuristic domain warning, not tied to the TLS certificate as a key, and the private key is never transmitted at all.

Official docs
Study in Gnoseed →