A security researcher identified a vulnerability in passkey implementations by major software providers that allows cybercriminals to bypass passkey security on various platforms using Adversary-in-the-Middle (AitM) phishing attacks.
The researcher plans to explain how passkeys function, how attackers are currently exploiting this security hole, and steps software providers and websites can take to strengthen their passkey implementation against these threats.
Passkeys are digital FIDO2 hardware security keys stored on a device using a secure enclave or password manager and offer strong authentication by cryptographically signing a challenge from a website to prove user identity. Unlike passwords, passkeys are phishing-resistant because they authenticate both the user and the website.
Built on the WebAuthn protocol, passkeys can be vulnerable to phishing attacks if websites offer less-secure backup authentication methods alongside passkeys.
Attackers can manipulate the login page to hide passkey options and trick users into using the vulnerable backup method.
By using Evilginx AitM software to mimic the genuine Github login page through proxying and manipulating the phishlet configuration, attackers can trick users into entering credentials that the attacker then captures.
Even with passkeys as a second factor, attackers can exploit fallback methods, if available, to gain persistent access to compromised accounts.
Attackers can bypass passkey authentication by rewriting HTML code or injecting JavaScript to manipulate login forms, which exposes alternative authentication methods, allowing attackers to capture credentials even if a second factor is used.
If the passkey is the second factor, attackers might already have usernames, passwords, and phone numbers, potentially enabling password-spray attacks on other accounts. Removing a passkey without adding another factor leaves the account vulnerable to future takeovers.
Researchers at eSentire’s Threat Response Unit (TRU) found that many passkey implementations are vulnerable to authentication method redaction (AitM) attacks, where attackers can hide the passkey option from login forms, forcing users to fall back on less secure methods like passwords.
Although Microsoft provides a “passwordless” option, it still uses the Microsoft Authenticator app, which AitM can compromise.
Enterprise IAM solutions can potentially defend against AitM with stricter login policies, and the challenge is balancing security with account recovery, while password managers can help with password backup but introduce their own security risks.
Common backup verification methods like passwords, security questions, and push notifications are susceptible to Account Takeover via Man-in-the-Middle (AitM) attacks because they rely on compromised sessions.
One-time codes can also be intercepted. Social recovery and KYC verification are more secure against AitM if conducted outside the compromised session, but they are cumbersome.
Magic links offer improved security if they initiate new sessions instead of reinforcing compromised ones, while the most secure method is a second passkey or FIDO2 hardware key, which bypasses the compromised session entirely.
.webp?w=1200&resize=1200,0&ssl=1&description=The researcher plans to explain how passkeys function, how attackers are currently exploiting this security hole.){kind=link}