Zero One Security

Field Guide

The Key That Refuses the Fake

Why a physical key resists the attack a password invites

By Zero One Labs

June 2026

The Attack a Password Invites

A password is a secret you carry in your head and type into a screen. That is its whole design, and it is also its whole problem. Anything you can type into the real login page, you can be tricked into typing into a fake one. The fake page does not need to break any encryption. It only needs to look right for the few seconds it takes you to enter the secret, and then it holds everything the real site would have accepted.

This is why phishing has lasted. It does not attack the technology. It attacks the moment a person decides a page looks legitimate. Add a code from a text message or an app, and the bar rises slightly, but the same trick still works. The fake page asks for the code too, and a person under time pressure hands it over.

A Key That Checks Who Is Asking

A hardware key changes what is being asked of the person. The key is a physical object you hold, the size of a house key or a fingertip. Inside it is a secret that never leaves the device, is never shown on a screen, and is never typed. You cannot read it, and neither can we.

When you sign in, the website sends the key a challenge. The key answers only after checking the exact address that is asking. A genuine answer is bound to the real site's address. On a lookalike domain, one character off, the check fails and the key stays silent. There is nothing for the person to get wrong, because the person is not the one verifying the site. The key is, and the key does not get impatient, flattered, or rushed.

A password trusts the person to spot the fake. A key checks for them, and refuses to answer it.

That is the property worth the whole exercise. The secret is never transmitted, so it cannot be captured in transit. It is never typed, so it cannot be entered on the wrong page. It is bound to one site, so it cannot be replayed against another. The attack that a password quietly invites is the one a key is built to ignore.

Not All Multi-Factor Is Equal

It is tempting to treat every second factor as the same upgrade. They are not. NSM, the national security authority, draws a clear line between phishing-resistant multi-factor authentication and weaker forms, and recommends the stronger category specifically against phishing and account takeover.1

The distinction is practical, not academic. A code in a text message can be read aloud to a convincing caller. A push notification can be approved by a tired person tapping to make their phone stop buzzing. A hardware key has no code to share and no prompt to approve by reflex. It holds precisely when someone is actively trying to trick a person, which is the only moment the control was ever for.

The Safer Way Is Also the Faster Way

The usual assumption is that stronger security costs the user time. Here it is the reverse. Microsoft has reported that passkey sign-ins are "eight times faster than a password and multifactor authentication."2 There is no password to recall, no code to wait for, no app to open. You tap the key, and you are in.

The stronger method is also the quicker one. For once, the safer way and the easier way are the same way.

That matters beyond convenience. A control people find slow is a control people work around. One they find faster is one that survives contact with a busy week.

Norwegians Already Hold One

None of this is foreign to Norway. The FIDO Alliance describes BankID, used by about 4.7 million people, roughly 97 percent of the country, as part of the same move toward passkey-based authentication.3 The idea that you prove who you are with a possession rather than a recited secret is already how the country banks, signs, and identifies itself.

So the change we propose is smaller than it sounds. It is not a new habit. It is the habit Norwegians already trust for their most sensitive business, carried over to the rest of the doors a firm runs on.

What a Key Does, and What It Does Not

A hardware key is precise about its job, and it is worth being equally precise in return. It removes one important and common class of failure: the phishing of a login, where a stolen or surrendered credential lets a stranger in. In an environment built on email, identity, and trust, that is a large share of the risk, and closing it is rational on its own.

It is not a single fix for everything. A key does not stop a person from being talked into wiring money to the wrong account, and it does not stop a malicious attachment from being opened. Those need their own guards. The honest claim is the narrow one, and the narrow one is still strong. The key takes the most common way in off the table, so the work that remains is smaller and clearer.

It removes the most common way in. It does not pretend to remove them all.

Sources

Every figure and quotation above is tied to a named public source, listed here so any claim can be checked.

  1. Nasjonal sikkerhetsmyndighet (NSM). Flerfaktorautentisering. Thematic report. https://nsm.no/getfile.php/1314181-1734004986/NSM/Filer/Dokumenter/Rapporter/NSM%20Flerfaktorautentisering%20temarapport.pdf
  2. Microsoft. Pushing passkeys forward: Microsoft's latest updates for simpler, safer sign-ins. 30 April 2025. https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
  3. FIDO Alliance. How BankID Norway Unifies Passkeys and Biometric Liveness. 9 March 2026. https://fidoalliance.org/fido-webinar-the-spectrum-of-authentication-how-bankid-norway-unifies-passkeys-biometric-liveness/

Zero One Security, Field Guide. Published by Zero One Labs. Set in Family and Söhne. Copyright Zero One Labs, 2026.

← All Issues