Understanding Passkeys and Adversary-in-the-Middle (AitM) Phishing Attacks

As digital security evolves, so do the tactics of cybercriminals. Despite advancements in authentication technologies, vulnerabilities still exist. One such vulnerability is the exploitation of passkeys via Adversary-in-the-Middle (AitM) phishing attacks.

The Rise of Passkeys

Passkeys, hailed as the next step in authentication technology, are intended to replace traditional passwords. They use cryptographic keys stored on a user’s device, offering a more secure and user-friendly experience. Major tech companies have begun integrating passkeys into their systems to enhance security.

AitM Phishing Attacks Explained

AitM phishing attacks are a sophisticated form of cyber attack where an adversary intercepts and manipulates the communication between a user and a legitimate service. This type of attack can undermine the security of passkeys by exploiting weaknesses in the authentication flow.

How Attackers Exploit Passkeys

Hackers can manipulate the login process to eliminate passkey references, forcing users to fall back on less secure authentication methods. By using tools like Evilginx, an open-source Man-in-the-Middle (MitM) tool, attackers can bypass passkey security measures. They achieve this by capturing credentials and access tokens, even when passkeys are used as a second factor.

Challenges with Passkey Implementation

  1. User Familiarity: Many users are still unfamiliar with passkeys and rely on insecure backup options.
  2. Fallback Mechanisms: Insecure fallback authentication methods can compromise the overall security of passkey systems.
  3. Account Recovery: Ensuring secure account recovery mechanisms without compromising passkey integrity is challenging.

Strengthening Passkey Systems

To enhance the security of passkey implementations, consider the following recommendations:

  • Design Authentication Flows with AitM Awareness: Ensure that the authentication process accounts for potential AitM attacks.
  • Treat All Login Sessions as Potentially Compromised: Always be vigilant and treat every session with caution.
  • Red Team Testing: Regularly test authentication flows using tools like Evilginx to identify and mitigate vulnerabilities.
  • Encourage Multiple Passkey Registrations: Allow users to register multiple passkeys to enhance security.
  • Offer Passwordless Options: Provide sufficient passkeys to facilitate a smooth transition to passwordless authentication.
  • Balance User Experience and Security: Strive for a balance between user convenience and robust security measures.
  • Implement UEBA: Use User and Entity Behavior Analytics (UEBA) to detect anomalies and potential phishing activities.
  • 24/7 MDR: Employ Managed Detection and Response (MDR) services for continuous threat monitoring and mitigation.

Conclusion

While passkeys represent a significant advancement in authentication technology, their security is not foolproof. Adversaries can exploit weaknesses through AitM phishing attacks. It is crucial for organizations to implement robust security measures, educate users, and continually test and improve their authentication systems to mitigate these risks effectively.