Security protections from passkey authentication can still potentially be subverted by attackers.
Passkeys are a virtual alternative to the physical hardware (such as a Yubikey) that companies sometimes use for authentication. They have become an increasingly popular and promising form of user authentication. When implemented correctly, passkeys are more convenient and secure than many multi-factor authentication methods. However, the need for backup verification methods can still leave accounts susceptible to adversary-in-the-middle (AitM) attacks.
An AitM phishing attack allows the attacker to control a user’s login session and manipulate the HTML to change the appearance of the login screen. To subvert the passkey protection, an attacker can remove the option to authenticate via passkey and force the user to authenticate via a backup method. Most backup verification methods are vulnerable to AitM attacks because the code or password is entered in the attacker-controlled session, where the attacker can steal user credentials.
The option to use a less secure backup method of authentication can be a practical necessity for most organizations in case devices get lost or reset. Given that constraint, passkeys do not fully eliminate the vulnerability to AitM attacks.
Still, organizations can take measures to reduce this risk. One potential method is using conditional access policies to allow login only via compliant devices, but not every organization’s infrastructure will accommodate this configuration. The most secure method is to have users set up a second set of passkeys as the backup authentication method, but this may prove challenging to implement given users’ lack of familiarity with passkeys.
Magic links are likely the most user-friendly and protective backup verification method currently available. A magic link is resistant to AitM attacks because it has the user “break out” of the attacker-controlled session and start a new login session without attacker interference. Organizations can bolster the security of these magic links with additional features such as allowing login only from previously authenticated IP addresses.
Ultimately, each organization will need to find an appropriate balance between resisting AitM attacks and promoting a user-friendly experience.
Authored by Nathan Salminen and Soojin Jeong.
Summer associate Zeke Tobin contributed to this article.
