How passkeys strengthen your inbound email security strategy

In healthcare, 89% of cybercrimes are initiated via phishing emails, according to research published in Frontiers in Digital Health. The goal of most of these attacks is credential theft, harvesting the usernames and passwords that unlock email accounts, patient records, and financial systems. Recognizing this vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released guidance calling for phishing-resistant authentication as a default feature in software products because attackers don't need to break through sophisticated defenses when they can simply steal the keys.

Passkeys, a phishing-resistant authentication method built on public-key cryptography, offer a structural solution to credential theft. Unlike passwords that can be guessed, stolen, or phished, passkeys are cryptographically bound to specific domains. Even if an employee clicks a malicious link and lands on a convincing fake login page, the passkey simply won't work there. The credential can't be harvested because it never leaves the user's device in a usable form.

Read more: How one stolen login compromises an entire organization

Why email accounts are the target

When attackers compromise an email account, they gain far more than access to messages. They gain a foothold into everything connected to that inbox.

The Chord Specialty Dental Partners breach illustrates this. In September 2024, the Tennessee-based organization discovered that an unauthorized third party had been quietly accessing several employee email accounts for more than five weeks. Email accounts are unstructured, with attachments, forwarded documents, and years of correspondence sitting in folders so the attackers had access to patient names, addresses, Social Security numbers, bank account information, payment card data, dates of birth, medical information, and health insurance details. It took months to determine exactly who was affected.

Once attackers control an email account, they control password resets for connected systems. They can monitor internal communications to plan lateral movement. They can intercept sensitive documents and impersonate trusted colleagues. The inbox becomes a command center for deeper compromise.

What passkeys actually are

A passkey is a FIDO2-compliant authentication credential that replaces passwords with public-key cryptography. When a user registers for an account on a website that supports passkeys, their device generates a unique public-private key pair for that specific site. The private key remains securely stored on the user's authenticator, whether that's a smartphone, laptop, or hardware security key. Only the public key is sent to the website.

During authentication, the website issues a cryptographic challenge. The user's device finds the matching private key, verifies the user through biometrics or a PIN, signs the challenge, and sends the signed response back. The website verifies this signature against the stored public key. If verification succeeds, the user is authenticated.

This architecture eliminates several classes of attacks. In a server breach, exposed public keys are useless to attackers without access to the corresponding private keys. Credential reuse becomes impossible because each passkey is unique to a specific website domain and account. Phishing fails because passkeys are cryptographically bound to legitimate domains, a fake login page can't trigger the passkey authentication flow.

Passkeys come in two forms. Device-bound passkeys are stored on a single device and can only be used there, typically on hardware security keys that don't support private key export. Synced passkeys are stored across multiple devices through cloud services like iCloud Keychain or Google Password Manager, providing greater convenience while maintaining security.

CISA's Secure by Demand Guide, released in August 2024, calls for phishing-resistant authentication methods, including passkeys, as default features in software products. The National Institute of Standards and Technology (NIST) confirmed in supplemental guidance that synced passkeys meet Authentication Assurance Level 2 (AAL2) requirements, while device-bound passkeys satisfy the higher Authentication Assurance Level 3 (AAL3).

Go deeper: The rise of phishing and the vulnerabilities of traditional passwords

How passkeys stop the attacks that start breaches

Traditional multi-factor authentication improved security by requiring something beyond a password, typically a code from an authenticator app or a push notification approval. But attackers adapted. They developed techniques to intercept or bypass these additional factors.

Adversary-in-the-middle (AitM) attacks route victims through proxy servers that capture both passwords and MFA codes in real time, then replay them to the legitimate site before they expire. Push bombing exploits notification fatigue by repeatedly sending MFA approval requests until a frustrated or confused user accidentally approves one. The 2022 Uber breach demonstrated how attackers purchased a contractor's credentials on the dark web, then bombarded them with push notifications until one was approved. A single tap granted access to Uber's entire environment.

Passkeys resist these attacks. There's no password to intercept because authentication happens through cryptographic challenge-response. There's no code to capture because the private key never leaves the user's device. There's no push notification to spam because verification happens locally through biometrics or a device PIN.

When a user visits a fake login page, even one that looks identical to the real site, the passkey authentication flow doesn't activate because the domain doesn't match. The attack surface that enables most credential theft simply disappears.

According to the FIDO Alliance, this phishing resistance is precisely why CISA's guidance "empowers IT buyers, who can drive market demand for secure software features, such as passkeys and FIDO authentication."

The current state of passkey implementation

Despite clear security advantages, passkey adoption remains uneven. A 2025 study from Brigham Young University systematically analyzed passkey deployment across 111 websites to assess implementation consistency and identify gaps.

The research found that 80% of websites fell into a "Standard Implementers" cluster with relatively consistent deployment practices. Top-ranked websites showed the strongest adoption, every site ranked 1-100 in the study appeared in the highest-performing cluster. Information Technology companies led adoption rates, with 88% in the strongest implementation tier.

However, the study identified security gaps that healthcare organizations should understand. Nearly 70% of websites allow users to add or delete passkeys without verifying their identity. This creates a vulnerability where a malicious actor who gains temporary access to an unlocked session could add their own passkey and establish persistent account control, or delete existing passkeys to lock legitimate users out.

The researchers noted, "To mitigate these threats, we recommend making identity verification mandatory before creating, updating, or deleting passkeys. Requiring identity verification at these points would prevent such abuse and foster user trust in passkey-enabled authentication systems."

Only 47% of websites allow users to rename passkeys, leaving generic labels that make credential management confusing. Only 42% support autofill features that streamline the login experience. Account recovery, what happens when a user loses their device, remains inconsistently addressed across implementations.

A literature review published in Applied Sciences identified the main challenges hindering passkey adoption as "misaligned user perception and technical issues regarding account recovery, sharing, and delegation." The researchers concluded that "improved user education and awareness could address these challenges," but noted a gap in academic research focusing on effective strategies to improve user perception.

Practical considerations for healthcare organizations

For healthcare organizations evaluating passkeys, email platforms represent the logical starting point. Both Google Workspace and Microsoft 365 support passkey authentication. Securing these accounts with phishing-resistant credentials addresses the entry point for most breaches.

Implementation requires planning around several realities. Account recovery presents challenges when users lose devices. Organizations need clear procedures for credential reset that don't simply recreate password-based vulnerabilities. Cross-device usage requires understanding which passkey type, synced or device-bound, fits organizational workflows. User education matters because staff need to understand why the new authentication method is more secure, not just how to use it.

The BYU research found that "top-ranked websites and those in the Information Technology sector show the most consistent and high deployment rates," suggesting that successful implementation requires adequate resources and technical expertise. Organizations with limited IT capacity may need to phase adoption or seek external support. Passkeys work best as part of layered security rather than a standalone solution. They protect account access but don't address threats that arrive through other vectors or operate after authentication.

Learn more: Windows 11 adds third-party passkey manager support

The layered defense approach

Passkeys and inbound email security address different stages of the same attack chain. Inbound email security stops phishing attacks before they reach users. AI-powered threat detection identifies malicious messages, blocking fake login pages, credential harvesting attempts, and social engineering attacks at the email gateway. When these filters work, users never see the threats designed to steal their credentials.

Passkeys neutralize credential theft if a phishing attempt slips through. Even when a user clicks a malicious link and encounters a convincing fake login page, phishing-resistant authentication prevents the attack from succeeding. The credential can't be stolen because the authentication mechanism doesn't work on fraudulent domains.

Together, these layers eliminate multiple stages of the attack chain. Prevention reduces exposure. Defense in depth ensures that a single failure doesn't lead to compromise.

Paubox Email Suite provides this layered protection. Inbound security features use AI-based threat detection to identify and block phishing attempts, while ExecProtect stops domain spoofing and impersonation attacks. Outbound encryption ensures that sensitive communications remain protected in transit. The combination addresses both the threats arriving via email and the data flowing out, creating comprehensive protection for healthcare communication.

FAQs

What is public-key cryptography?

Public-key cryptography is a security method that uses two mathematically related keys,  a public key and a private key. The public key can be shared openly, while the private key remains secret. Data encrypted with one key can only be decrypted with the other. With passkeys, your device holds the private key and the website holds the public key. During login, the website sends a challenge that only your private key can correctly sign, proving your identity without ever transmitting the actual credential.

What is push bombing?

Push bombing, also called MFA fatigue, is a social engineering attack where hackers repeatedly send multi-factor authentication approval requests to a victim's phone. After receiving dozens of identical notifications, users may accidentally tap "approve" out of frustration, confusion, or simply to stop the alerts. 

What is credential harvesting?

Credential harvesting is the process of collecting usernames and passwords, typically through phishing attacks. Attackers create fake login pages that mimic legitimate sites, then distribute links via email, text messages, or malicious advertisements. When victims enter their credentials on these fake pages, the information is captured and stored for later use or sold on criminal marketplaces.