Search This Blog

Powered by Blogger.

Blog Archive

Labels

Passkeys Aren't Foolproof: New Study Reveals Vulnerabilities in Popular Authentication Method

While passkeys offer a promising alternative to traditional passwords, their current implementation can leave accounts vulnerable.

 

Despite their growing popularity, passkeys are not as secure as many believe. According to Joe Stewart, principal security researcher at eSentire's Threat Response Unit (TRU), many online accounts using passkeys can still fall victim to adversary-in-the-middle (AitM) attacks. This issue stems not from the passkeys themselves but from their implementation and the need for account recovery options. Passkeys, a password-less authentication method, aim to provide secure access to online accounts like banking, e-commerce, and social media. 

However, an eSentire study found that poor implementation of passkeys, such as less secure backup authentication methods, allows AitM attacks to bypass this security. In these attacks, the adversary modifies the login prompts shown to users, controlling the authentication flow by altering the HTML, CSS, images, or JavaScript on the login page. 

This manipulation can make the passkey option disappear, tricking users into using less secure backup methods like passwords. Stewart's research demonstrated how open-source AitM software, like Evilginx, can deceive users of services like GitHub, Microsoft, and Google. By slightly modifying scripts (phishlets) that capture authentication tokens and session cookies from real login pages, attackers can make users believe they are on the genuine site. 

The attacker then captures the user's credentials and authentication tokens, allowing them to maintain access to the account. The study highlights that most passkey implementations are vulnerable to similar attacks. Backup methods such as passwords, security questions, SMS codes, and email verifications are prone to AitM attacks. Only methods like social trusted contacts recovery, KYC verification, and magic links offer better protection, though they can be cumbersome. 

To enhance security, Stewart recommends using multiple passkeys, including a FIDO2 hardware key, which is secured by a PIN. As passkey adoption grows, magic links remain a secure backup method for account recovery in case of passkey loss or AitM attacks. While passkeys offer a promising alternative to traditional passwords, their current implementation can leave accounts vulnerable. Users and developers must adopt stronger backup methods and remain vigilant against AitM attacks.
Share it:

Bank Security

Cyber Security

passkeys for account protection