_ArtemisDiana_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "Passkey Redaction Attacks Compromise GitHub, Microsoft Authentication")
Passkey technology has long been hailed as a secure way to protect online accounts from cyberattacks. However, recent findings by Joe Stewart, a principal security researcher with eSentire’s Threat Response Unit (TRU), have revealed significant vulnerabilities in the implementation of passkeys that could potentially leave users’ accounts exposed to compromise.
Stewart highlighted the issue of adversary-in-the-middle (AitM) attacks, which can completely bypass passkey authentication on various platforms such as banking, e-commerce, social media, and more. These attacks involve manipulating the login interface so that users are not presented with the passkey option at all, allowing attackers to intercept credentials and gain unauthorized access to accounts.
In a proof-of-concept demonstration, Stewart showed how the open-source Evilginx AitM software could be used to alter the GitHub login page, effectively hiding the passkey authentication option and redirecting users to less-secure login methods. This manipulation could lead users to unwittingly disclose their credentials to attackers, putting their accounts at risk of compromise.
Moreover, even when passkeys are used as a second factor of authentication, they are not immune to AitM attacks. By rewriting the HTML of the login page or using injected JavaScript, attackers can bypass passkey authentication and steal users’ credentials and tokens. This flaw in passkey implementations poses a significant security risk for users across various platforms.
Stewart emphasized that these vulnerabilities are not inherent to passkeys themselves but rather stem from the lack of awareness and maturity in authentication methods. Users often lack the knowledge to recognize manipulated login pages, while implementers may not fully understand the risks of AitM attacks. Additionally, the need for account recovery options in case of passkey loss or device theft introduces further vulnerabilities that attackers can exploit.
To address these security challenges, Stewart suggested implementing more secure account recovery methods such as magic links, which offer a direct connection to the real site and bypass potential phishing attempts. He also recommended using additional security layers like one-time links with short timeouts and restricting logins to authenticated IP addresses to enhance account security.
While some vendors have expressed openness to new approaches to mitigate AitM attacks, the widespread adoption of more secure authentication methods remains a challenge. Stewart advocated for greater user education on passkeys and recommended the use of multiple passkeys to prevent account lockout in case of loss.
Overall, enterprises can enhance their defenses against passkey redaction attacks by using hardware-based keys, enforcing complex and unique fallback passwords, and configuring conditional access policies to prevent proxied logins. By proactively addressing these vulnerabilities and promoting more secure authentication practices, organizations can better protect their users from cyber threats.
In conclusion, the discovery of vulnerabilities in passkey authentication highlights the importance of continuous vigilance and improvement in online security practices. As cyber threats evolve, stakeholders must remain proactive in implementing robust security measures to safeguard users’ sensitive information and prevent unauthorized access to accounts.