FB pixel

Strategies to secure passkeys against authentication vulnerability proposed

| Abigail Opiah
Categories Access Control  |  Biometrics News  |  Mobile Biometrics
Strategies to secure passkeys against authentication vulnerability proposed
 

A recent blog post from eSentire discussed new strategies to secure passkeys and prevent authentication method redaction attacks, a technique used by cybercriminals to bypass security measures. These attacks involve manipulating the authentication process.

Authentication method redaction attacks involve bypassing primary authentication methods in favor of less-secure backup methods, which in turn enables Adversary-in-the-Middle (AitM) phishing attacks. eSentire demonstrates such an attack against Github, but says that numerous passkey implementations are similarly flawed.

The cybersecurity threat detection provider suggests that implementing multiple passkeys is a way to mitigate the threat of AitM attacks, so that losing one passkey neither blocks the user’s access nor requires a fallback to a less-secure authentication method. Magic links can also help, as a relatively secure fallback authentication method, but eSentire also introduces the concept of “warded links.”

Warded links are magic links that provide “a new secure authentication flow, isolated from any existing AitM-compromised session,” the post explains.

The company also recommends red-teaming authentication flow designs, ensuring that any move away from passkeys also initiates a new session, and using behavior analytics and a managed detection and response service to continuous protection and fast threat mitigation.

Analysts have identified potential man-in-the-middle (MITM) attacks targeting session cookies, which can be stolen post-authentication to impersonate users.

Despite the vulnerabilities, however, passkey adoption is growing rapidly.

Recently, Australia’s myGov app integrated passkeys, in a bid to provide a more secure authentication method for users. Mastercard announced its commitment to implementing passkeys and full tokenization for payments in the EU by 2030, and AWS added support for passkeys in June.

Related Posts

Article Topics

 |   |   | 

Latest Biometrics News

 

IDNow, Microblink, Smartsearch look for market growth with key hires

IDNow, Microblink, and Smartsearch have each made key leadership announcements. Ranging from the C-suite, to global sales and regional expansion,…

 

Okta warns of trust gaps as AI agent deployments grow

As the deployment of AI agents keeps increasing across sectors, there are concerns about whether they are trusted by users…

 

Biometrics disrupting the future of movement, on and offline

Biometrics are disrupting different areas of life, from how people interact with governments for basic services to the esoteric world…

 

Alexa, sue Amazon: tech giant faces class action over voice recordings

Users of Amazon’s Alexa are clear to pursue a class action over allegedly illegal recordings of private conversations. In Seattle,…

 

Epic Games provides Yoti facial age estimation to Bluesky for UK users

Social media platform Bluesky has selected Epic Games’ software, including biometrics-based age estimation from Yoti, to ensure its compliance with…

 

RealSense targets robotics, 3D facial recognition security with $50M in hand

RealSense has cut the cord tying it to Intel Corp, where the 3D camera company was born, with $50 million…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events