Passkeys provide a secure, phish-fighting, passwordless authentication mechanism—as long as it doesn’t get erased from a phony login page.
Researchers from cybersecurity firm eSentire demonstrated how attackers can use an “adversary in the middle” (AitM) attack to present familiar login pages, with the passkey option deleted—leaving any unaware end-users to go with familiar, less secure login options like passwords, which can then be scooped up by middling threat actors.
“The effort required is trivial. I absolutely think that [threat actors] will try this. And probably the only reason they’re not already doing this is because passkeys are still new,” Joe Stewart, principal security researcher at eSentire, told IT Brew.
But first, what’s a passkey? The passkey acts as a virtual hardware key—a credential that a remote attacker cannot attain, since it’s a private one stored on the device itself.
The passkey helps to defend against AitM attacks—tactics that involve the creation of replica, fraudulent sites (on unofficial domains) that allow threat actors to intercept login credentials. The AitM phishing attack has been automated, thanks to available tools like Evilginx2, Modlishka, and Muraena.
A passkey keeps intruders from getting in the middle of everything; Stewart notes in a recent eSentire report that the digital mechanism is an important safeguard against AitM attacks. With a passkey, the private key credential stored on the device must correspond with the true domain’s public key. A phishy domain gets rejected.
But Stewart revealed a new take on the AitM attack: get the option outta there.
Using the Evilginx phishing kit, Stewart demo’d how to manipulate the presented login page as it is proxied through to the end user, by modifying HTML or using injected JavaScript. The “sign-in with a passkey” option can be eliminated.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Nothing pops up and suggests that there even is an option to log in with a passkey,” Stewart said.
Published on June 27, the report used GitHub’s login (which offers the passkey option) as an example, adding that users who don’t see the passkey option will most likely go with the other visible choice: username and password, “which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account.”
A mitigation Stewart recommends: Provide backup authentication mechanisms that exist outside of the compromised adversary-in-the-middle exchange—a link sent to an email, for example, which sends users to the proper domain.
An independent survey of 2,000 consumers in the US and UK, commissioned by the industry body and passwordless advocates known as FIDO Alliance, found that 53% of respondents have enabled passkeys on at least one of their accounts, with 22% enabling them on every account they possibly can.
“I think these attacks are almost a byproduct of our success and momentum,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, told IT Brew, adding that eSentire’s demonstrated tactic is not one against the passkey security model itself.
Shikiar, too, advised IT pros to offer additional account-recovery options beyond the password, including facial verification. With passkeys, the FIDO pro also sees a strength in numbers.
“As you rely more on passkeys instead of passwords for signup and for recovery, then all of a sudden the knowledge-based recovery option, and backdoor that hackers take advantage of, goes away,” Shikiar said.