Passkey defenders push back on cybersecurity vulnerability claims

Passkeys are the popular new thing in user authentication. The heralded replacement for passwords promises greater security and convenience. Companies and institutions such as Microsoft, Facebook, the UK government, Mastercard, Visa and Amazon are high-profile backers.

However, observers are having to push back on what they argue are spurious claims made over passkeys’ security. Technology publication ArsTechnica has written about one such claim, highlighting research put out by SquareX, a start-up selling browser services. The research claims to have discovered a “major passkey vulnerability.”

Earlier this month at Defcon, researchers unveiled an attack dubbed “Passkeys Pwned,” which exposes a supposed critical vulnerability in the passkey authentication process. The method hinges on a malicious browser extension, covertly installed through a prior social engineering campaign. Once in place, the extension intercepts the creation of passkeys for services like Gmail, Microsoft 365, and thousands of other platforms that have adopted the passwordless login standard.

Behind the scenes, the extension generates a cryptographic keypair and links it to the legitimate gmail.com domain. However, this keypair is crafted and controlled entirely by the malware — not the user. As a result, attackers gain seamless access to cloud-based applications that often handle an organization’s most sensitive data.

“This discovery breaks the myth that passkeys cannot be stolen, demonstrating that ‘passkey stealing’ is not only possible, but as trivial as traditional credential stealing,” SquareX researchers wrote in a draft version of the research paper sent to ArsTechnica.

“This serves as a wake up call that while passkeys appear more secure, much of this perception stems from a new technology that has not yet gone through decades of security research and trial by fire.”

However, this assertion is based on a flawed understanding of passkeys. Passkeys remain securely stored on an authenticator device, the one on which a user registered, and cannot be stolen.

Unlike traditional credential theft, a malware attack takes a more deceptive route by hijacking the passkey registration process itself. If a user already has a passkey set up, the Passkeys Pwned malware interferes with the login attempt, triggering an error message that urges the user to create a new passkey. Should the user comply, the newly generated key is silently created and controlled by the attacker. But no existing passkeys have been stolen.

Additionally, the FIDO spec upon which passkeys relies does not specify that attacks targeting the operating system, or the browser, are immune to being compromised. Malware affecting a browser is beyond the scope of passkeys’ protections.

Passkeys have been championed as a way to get over the vulnerability of password-based security. They’re a defense against phishing, password reuse, database hacks, and simple password guessing. Scam links, one-time SMS codes and malicious websites have all been used to steal people’s passwords. Passkeys are also much faster for sign-ins, according to Microsoft research.

ArsTechnica spoke with SquareX lead developer Shourya Pratap Singh who doubled down on their research — but, as the publication notes, the research does also include a commercial pitch for the SquareX platform. While passkeys are still fairly new, meaning vulnerabilities may well be discovered in time, either in the FIDO spec or in implementations, they still represent a more secure replacement for passwords.

Earlier this year, a research paper offered a comparative evaluation of device-bound versus synced passkey credentials. It noted that despite success in passkey adoption through the efforts of the FIDO Alliance, “so far, little research has been done on the security and usability of passkeys, and even less has considered the differences between the different types of passkeys.”

The authors, from the University of Oslo, aim to categorize different access levels of passkeys “to show how syncing credentials impacts their security and availability.” Their model differentiates device-bound passkeys in a single-user context (classed as low-risk), synced and shared passkeys in multi-user models (medium-risk) and exported passkeys with external scope (high-risk).

“Our findings support claims that synced passkeys are less secure than device-bound ones,” the paper says. “However, the range between secure and insecure passkeys varies widely depending on their implementation and usage. Thus, we emphasize the need for strong authentication for passkey provider accounts, cautious use of credential-sharing, and secure storage of backups.”

Keeper Security introduces Biometric Passkey Login across platforms

Keeper Security has rolled out biometric login support for FIDO2/WebAuthn passkeys in its Chrome and Edge browser extensions as well as the Keeper Commander CLI. The update lets users unlock their encrypted Keeper Vault using device-based credentials such as fingerprint, face biometrics or PIN, eliminating passwords.

The new feature leverages Windows Hello on Windows 11 devices and Touch ID on macOS, ensuring that biometric information remains on the user’s device and is never transmitted to Keeper.

“Security is shifting from passwords alone to stronger, more reliable methods,” says Craig Lurey, CTO and cofounder of Keeper Security. “This industry-leading update lets users unlock their vaults using trusted, device-based credentials such as biometrics or PINs, reducing reliance on passwords that can be stolen or phished.”

Keeper is a member of FIDO Alliance and the effort to drive widespread adoption of open standards like FIDO2 and WebAuthn. The company says the update simplifies passwordless access for IT teams by enabling passkey creation, secure storage and autofill across Keeper’s browser extensions, mobile and desktop vaults, and the open-source Keeper Commander CLI.

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  FIDO Alliance  |  FIDO2  |  Keeper Security  |  passkeys  |  passwordless authentication