Recently, many online services, such as banks, online stores, social networks and platforms for software development, began to use Passkey technology to protect accounts instead of traditional passwords.
Passkey is an authentication technology based on cryptographic keys stored on the device. Unlike ordinary passwords, Passkey passwords provide the highest level of security, as they are unique for each device and account. It is difficult to choose or fake them, and they are also protected from phishing since they are tied to a specific site or service.
However, according to Joe Stuart from Esentire, all these security measures do not protect against attacks like Adversary-in-The-Middle (AITM), which can easily bypass Passkey-authentication.
The problem is not in Passkeys themselves, but in their implementation and the necessity for additional authentication options. Many sites offer less safe ways to restore the account in the case of Passkey loss or device.
During AITM attacks, attackers can exploit this by, for instance, changing the appearance of the authorization screen to a particular service so that the user does not provide authentication through Passkey.
AITM attacks are orchestrated by attackers who “wedge” themselves between the user and the legitimate site the user is trying to access. They modify HTML, CSS, and JavaScript on the entry page, allowing them to control the authentication process and remove any mention of Passkey, leaving only less secure options that can be easily intercepted.
Esentire Stuart even provided a real-world example where the software “Evilginx” is capable of bypassing many security measures, including two-factor authentication (2FA), by intercepting and reusing COOKIE session. This tool can be exploited to carry out targeted attacks on users on the internet, posing a significant threat to online security.