Passkeys authenticate users securely, but they do not prove a user is human. Passkeys replace passwords with device-bound cryptographic authentication. They prevent phishing, credential theft, and password reuse attacks.
However, passkeys only verify identity at login, not behavior after login. A bot can still operate inside a valid authenticated session. Automated browsers, scripts, and AI agents can interact with systems after authentication succeeds.
Passkeys solve authentication problems, not human verification problems.
Human verification requires analyzing behavior, context, and request patterns.
Modern security therefore separates two different questions:
Passkeys answer the first question extremely well. They do not answer the second question.
That distinction is critical for modern applications facing automated attacks. Bots today perform actions such as scraping APIs, creating fake accounts, and automating purchases. Many of these actions happen after authentication, not before it.
This means that even a system protected with passkeys can still experience bot abuse.
To fully protect modern applications, security must combine multiple layers:
Understanding where passkeys help—and where they do not—is essential for building secure systems.
2. Quick TL;DR
Passkeys replace passwords with device-bound authentication.
Passkeys prevent phishing and credential theft attacks.
Passkeys verify identity but do not verify human behavior.
Bots can operate inside authenticated sessions.
Authentication does not prove human intent.
CAPTCHA was originally designed to detect bots.
Modern bots can solve or bypass many CAPTCHA challenges.
Bot detection relies on behavioral and device signals.
Passkeys improve authentication security but not bot detection.
Modern security requires authentication plus runtime verification.
3. The Core Question: Do Passkeys Prove You Are Human?
The short answer is no. Passkeys prove that a user controls a device credential. They do not prove that the actor using that device is human.
Passkeys verify identity ownership, not human intent.
Human verification and authentication are fundamentally different security goals.
Many developers confuse these two concepts because both appear during login flows. However, they solve different problems in system security.
Authentication vs Human Verification
Authentication answers one specific question:
Who is the user?
Human verification answers a different question:
Is this activity being performed by a human or a bot?
These two goals require completely different technologies.
Security Goal | Purpose | Example Technology |
|---|
Authentication | Verify user identity | Passwords, Passkeys, OAuth |
Authorization | Control resource access | RBAC, Access policies |
Human Verification | Detect automated behavior | CAPTCHA, Behavior analysis |
Authentication confirms identity credentials.
Human verification analyzes interaction behavior.
Authentication proves identity.
Human verification proves intent.
Identity vs Intent
Passkeys solve the identity problem extremely well. They replace passwords with cryptographic authentication tied to a device.
When a user signs in with a passkey:
The device proves ownership of a private key
The server verifies the cryptographic signature
The user is authenticated successfully
At that moment, the system knows:
A valid credential was used.
However, the system does not know:
Whether the interaction is automated
Whether a bot controls the browser
Whether an AI agent triggered the action
Passkeys prove device ownership, not human presence.
Why This Distinction Matters
Modern bots rarely try to guess passwords anymore. Instead, they operate through automated browsers or scripts that interact with websites exactly like real users.
Examples include:
These bots can operate after authentication succeeds.
Most automated abuse happens inside authenticated sessions.
This means a system using passkeys can still experience bot-driven activity.
A Simple Example
Imagine a user logs into a website using a passkey.
The authentication process is secure and successful.
Now consider two scenarios:
A real human navigates the site normally.
A bot script controls the browser and performs automated actions.
From the authentication system's perspective, both sessions look valid.
The passkey successfully verified identity in both cases.
Authentication alone cannot distinguish humans from automated behavior.
The Key Insight
Passkeys are a major improvement for authentication security. They eliminate passwords and prevent many common attacks.
However, they do not replace bot detection systems.
Passkeys solve authentication.
Human verification requires additional security layers.
Understanding this difference is essential for building secure modern applications.
4. What Problem Passkeys Actually Solve
Passkeys were designed to solve the weaknesses of password-based authentication. They replace passwords with device-bound cryptographic credentials that are resistant to phishing and credential theft.
Passkeys solve authentication security problems, not bot detection problems.
They eliminate passwords while improving login success and security.
Passkeys are based on the FIDO and WebAuthn standards. These standards use public-key cryptography instead of shared secrets like passwords.
When a user registers a passkey:
The device generates a public-private key pair.
The private key stays securely on the user’s device.
The public key is stored on the server.
During login, the server sends a challenge that the device signs with the private key. The server verifies the signature using the stored public key.
The private key never leaves the user’s device.
Password Elimination
Passwords have been the weakest link in authentication for decades.
Common password problems include:
password reuse across services
weak passwords chosen by users
password database breaches
phishing attacks stealing credentials
Microsoft reports that more than 99% of identity attacks involve passwords.
Passkeys remove passwords entirely from the authentication process.
No password means nothing for attackers to steal or guess.
Phishing Resistance
Traditional phishing attacks trick users into entering credentials on fake websites.
Passkeys prevent this because authentication is tied to the website’s domain.
If a phishing site tries to trigger passkey authentication:
Passkeys are inherently phishing resistant.
This makes them far more secure than passwords, SMS OTPs, or many MFA systems.
Device-Bound Authentication
Passkeys are stored securely on the user’s device.
They rely on hardware-backed security features such as:
secure enclaves on smartphones
trusted platform modules (TPM) on computers
biometric authentication like Face ID or fingerprint
The authentication process requires the user to unlock the device.
This ensures the device owner is present during login.
Passkeys combine device possession with biometric verification.
Improved User Experience
Passwords introduce friction during login.
Users often forget passwords, reset them, or struggle with password policies.
Passkeys simplify login significantly.
Typical passkey login flow:
User enters username or email.
Device prompts biometric verification.
Authentication completes instantly.
Microsoft reports that passwordless authentication achieves 95% login success rates, compared to much lower success rates for password logins.
Passkeys improve both security and usability.
Protection Against Credential Theft
Credential stuffing attacks rely on leaked password databases.
Attackers reuse stolen passwords across multiple services.
Passkeys eliminate this attack vector because:
Even if one service is compromised, the passkey cannot be reused elsewhere.
Passkeys eliminate credential reuse attacks entirely.
5. What Problem Passkeys Do NOT Solve
Passkeys dramatically improve authentication security. They prevent phishing, password theft, and credential reuse. However, they do not stop automated behavior or bots operating after login.
Passkeys verify identity credentials, not user behavior.
Bots can still interact with systems after authentication succeeds.
This distinction is important because most modern automated attacks no longer focus on breaking authentication. Instead, they target the application layer after login.
Passkeys Do Not Detect Automated Browsers
Modern bots often run inside automated browsers that behave like real users.
These tools include:
Selenium
Puppeteer
Playwright
headless Chrome
These automated browsers can load web pages, click buttons, submit forms, and interact with applications exactly like a human user.
Once authentication succeeds, the system sees only normal requests.
Passkeys cannot distinguish between human actions and automated browser actions.
Passkeys Do Not Detect Scripted Sessions
Many automated attacks occur inside valid authenticated sessions.
Examples include:
These actions happen after authentication has already succeeded.
From the server’s perspective, the requests are coming from a valid session.
Passkeys do not evaluate how a session is being used.
Passkeys Do Not Detect API Automation
Modern applications rely heavily on APIs.
Bots often interact directly with APIs instead of web interfaces.
For example:
If the API accepts valid tokens or session cookies, the requests may look legitimate.
Passkeys secure login but do not analyze API behavior.
Passkeys Do Not Detect AI Agents
The rise of AI-driven automation introduces a new category of automated activity.
AI agents can:
These agents may operate inside authenticated sessions.
Because authentication was valid, the system cannot easily distinguish between human actions and automated actions.
Passkeys authenticate the device, not the actor controlling it.
Passkeys Do Not Analyze Behavior
Human verification systems often rely on behavior signals.
These signals may include:
mouse movement patterns
typing speed
navigation patterns
request timing
Passkeys do not analyze these signals.
They only verify the cryptographic credential during login.
Passkeys do not evaluate behavioral patterns.
Passkeys Do Not Detect Intent
A valid login does not guarantee safe behavior.
A user may log in successfully and then perform malicious actions.
Examples include:
Authentication confirms identity, but it does not validate intent.
Intent can only be inferred through behavioral analysis.
The Key Insight
Passkeys solve one specific problem extremely well: secure authentication.
They eliminate passwords and significantly reduce account takeover attacks.
However, modern systems face additional challenges that occur after authentication.
Bots, automated scripts, and AI agents often operate inside valid sessions.
Passkeys secure the login event, not the entire user session.
To detect automation, systems need additional mechanisms such as:
Understanding these limitations is essential when designing modern security architectures.
6. How Bot Detection Actually Works
Bot detection systems are designed to distinguish automated traffic from human users. Unlike authentication systems, bot detection focuses on analyzing behavior, patterns, and environmental signals.
Bot detection identifies automated behavior, not identity credentials.
Human verification depends on analyzing how a system is used.
Modern bot detection systems combine multiple techniques to detect suspicious activity.
CAPTCHA Challenges
CAPTCHA systems were originally designed to separate humans from automated scripts. The name CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
CAPTCHA systems challenge users with tasks that are assumed to be easy for humans but difficult for machines.
Examples include:
These tests attempt to ensure that the actor interacting with the system is human.
CAPTCHA systems challenge interaction rather than identity.
Behavioral Analysis
Behavioral analysis examines how users interact with a website or application.
Human users behave differently from automated scripts.
Common behavioral signals include:
Bots often generate extremely regular patterns that differ from human behavior.
Human behavior contains randomness that automated scripts struggle to replicate.
Behavioral analysis systems monitor activity throughout the session to detect anomalies.
Device Fingerprinting
Device fingerprinting identifies unique characteristics of a device and browser environment.
This technique collects signals such as:
These attributes can create a fingerprint that helps identify automated tools.
Bots often use headless browsers or simplified environments that differ from real user devices.
Device fingerprints help detect suspicious environments.
Rate Limiting
Rate limiting controls how frequently requests can be made to a system.
Bots often send large volumes of requests in short periods of time.
Rate limiting can prevent excessive traffic from automated sources.
Examples include:
Rate limiting reduces automated abuse by controlling request volume.
Network Reputation Analysis
Many bot detection systems analyze the reputation of IP addresses and networks.
Signals may include:</p