Credit: JLStock / Shutterstock

Passkey, a password-less technology for authenticating user access to cloud-hosted applications, may still be vulnerable to adversary-in-the-middle (AitM) attacks despite its massive popularity, according to an eSentire study.

Poor implementation of passkeys, like offering less secure backup authentication methods, can lead to an AitM bypassing the authentication flow by modifying prompts shown to users.

“In the case where passkeys are used as a first-factor authentication method only, the downgraded authentication flow is now vulnerable to AitM,” Joe Stewart, principal security researcher at eSentire’s Threat Response Unit (TRU), said in the blog post. “Since the AitM can manipulate the view presented to the user by modifying HTML, CSS, and images or JavaScript in the login page, as it is proxied through to the end user, they can control the authentication flow and remove all references to passkey authentication.”

The finding means that accounts believed safer behind a password-less passkey authentication — such as those on online platforms like banking, e-commerce, social media, cloud accounts, and software development platforms — can still be broken into.

Passkey redaction for GitHub, Microsoft access  

Through detailed POCs, Stewart noted in the blog that an open-source AitM software (like Evilginx) can be used to hoax users of popular IT services like GitHub, Microsoft, and Google.

Specific Phishlets, scripts enabling AitM attacks by capturing authentication tokens and session cookies from real login pages, in Evilginx can be deployed with a little redaction (editing of the display text) to trick users out of passkey authentication.

“We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page, just proxied through Evilginx.”

However, by slightly modifying the standard phishlet configuration, we can remove the “Sign in with a passkey” text, Stewart added demonstrating how easily a user can be tricked into choosing a backup, password-based authentication.

The study noted that these kinds of attacks can be staged for cases where passkeys are used as the first factor as well as the second-factor authentication method. “Unless the user specifically remembers that they should see a passkey option, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account,” Stewart added.

Most passkey implementations listed on passkeys.directory are vulnerable to similar authentication method redaction attacks, according to Stewart.

Multiple passkeys can round out implementation

The study further emphasized that almost all the backup authentication methods (ones used on top of passkeys) are prone to AitM attacks. These include passwords, security questions, push notifications to trusted devices, social trusted contacts recovery, code over SMS, email, phone, KYC/document verification, or magic link over pre-defined email or SMS number.

Among these, only options like social trusted contacts recovery, KYC verification, and magic link can thwart AitM but through cumbersome settings.