Almost all software and IT service authentications with passkey implementation are open to AitM attacks as they provide less secure backup options. Credit: JLStock / Shutterstock Passkey, a password-less technology for authenticating user access to cloud-hosted applications, may still be vulnerable to adversary-in-the-middle (AitM) attacks despite its massive popularity, according to an eSentire study. Poor implementation of passkeys, like offering less secure backup authentication methods, can lead to an AitM bypassing the authentication flow by modifying prompts shown to users. “In the case where passkeys are used as a first-factor authentication method only, the downgraded authentication flow is now vulnerable to AitM,” Joe Stewart, principal security researcher at eSentire’s Threat Response Unit (TRU), said in the blog post. “Since the AitM can manipulate the view presented to the user by modifying HTML, CSS, and images or JavaScript in the login page, as it is proxied through to the end user, they can control the authentication flow and remove all references to passkey authentication.” The finding means that accounts believed safer behind a password-less passkey authentication — such as those on online platforms like banking, e-commerce, social media, cloud accounts, and software development platforms — can still be broken into. Passkey redaction for GitHub, Microsoft access Through detailed POCs, Stewart noted in the blog that an open-source AitM software (like Evilginx) can be used to hoax users of popular IT services like GitHub, Microsoft, and Google. Specific Phishlets, scripts enabling AitM attacks by capturing authentication tokens and session cookies from real login pages, in Evilginx can be deployed with a little redaction (editing of the display text) to trick users out of passkey authentication. “We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page, just proxied through Evilginx.” However, by slightly modifying the standard phishlet configuration, we can remove the “Sign in with a passkey” text, Stewart added demonstrating how easily a user can be tricked into choosing a backup, password-based authentication. The study noted that these kinds of attacks can be staged for cases where passkeys are used as the first factor as well as the second-factor authentication method. “Unless the user specifically remembers that they should see a passkey option, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account,” Stewart added. Most passkey implementations listed on passkeys.directory are vulnerable to similar authentication method redaction attacks, according to Stewart. Multiple passkeys can round out implementation The study further emphasized that almost all the backup authentication methods (ones used on top of passkeys) are prone to AitM attacks. These include passwords, security questions, push notifications to trusted devices, social trusted contacts recovery, code over SMS, email, phone, KYC/document verification, or magic link over pre-defined email or SMS number. Among these, only options like social trusted contacts recovery, KYC verification, and magic link can thwart AitM but through cumbersome settings. A second passkey or FIDO2 hardware key is the most secure method. “Obviously, having multiple passkeys is the direction we should steer computer users, especially if at least one is a hardware key safely stored and secured by a PIN,” Stewart said. “But given that passkey adoption is still early, of the remaining methods, the magic link is probably the most secure method to recover an account in the case of passkey/security key loss or AitM authentication flow manipulation.” More on passkeys: Redefining multifactor authentication: Why we need passkeys MFA soon compulsory for AWS users, passkey authentication an option Google rolls out passkey support across accounts on all major platforms GitHub rolls out passkeys in move toward passwordless authentication How passkeys are changing authentication Related content feature How MFA gets hacked — and strategies to prevent it Use of multifactor authentication is on the rise, but it needs to be done right to be effective as a security tool. Here‘s how to protect your organization against common MFA attacks and threat modalities. By David Strom 22 Aug 2024 8 mins Multi-factor Authentication Authentication Security news Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out Microsoft stands out from the authenticator crowd by annihilating accounts when new accounts are introduced via QR code. Despite user complaints for years, no fix has been issued, leaving IT experts wondering, ‘Why would you pick Microsoft?&rsq By Evan Schuman 05 Aug 2024 9 mins Multi-factor Authentication Authentication news Microsoft mandates Chinese staff to use iPhones, not Android The move is not about Android security as such, but about the unavailability of the Microsoft Authenticator app in Chinese app stores. By John Leyden 09 Jul 2024 3 mins Multi-factor Authentication Mobile Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe