Researchers at enterprise browser security firm SquareX have demonstrated an attack method that can be used to gain access to an account protected by passkeys.

Passkeys are designed to provide a more secure alternative to passwords, enabling users to log into their account based on a private key stored on the device. Users can sign in using various authentication methods, including PIN, facial recognition, or fingerprint scan.  Passkeys are increasingly adopted and recommended by major tech companies such as Microsoft, Amazon, and Google. Unlike passwords, passkeys are considered phishing resistant as a fake website cannot trick users into handing over their passkey. 

However, researchers at SquareX showed at DEF CON over the weekend that under certain circumstances passkeys can be bypassed. It’s worth pointing out that the attack does not target passkey cryptography, but rather it shows the potential for a compromised browser environment to manipulate the process that passkeys rely on.

The attack they described involves the attacker impersonating the targeted user and bypassing passkey-based login security, even in scenarios where Face ID is used and the hacker does not have access to the actual device. The attack targets WebAuthn, the standard that provides a way for users to authenticate to websites and applications through passkeys. 

“When registering or authenticating on websites using passkeys, the website communicates via the browser by calling the WebAuthn APIs. In this attack, the attacker forges both the registration and login flows by hijacking the WebAuthn API through JavaScript injection,” Shourya Pratap Singh, principal software engineer at SquareX, told SecurityWeek. 

In order to conduct an attack, a threat actor needs to convince the targeted user to install a malicious browser extension. The attacker can, for instance, disguise the malicious extension as a useful tool and upload it to an extension repository. Alternatively, a client-side vulnerability on the targeted website, such as an XSS bug that allows JavaScript injection, can be exploited to carry out an attack.

The attack involves hijacking and manipulating the passkey registration and authentication processes. If the user has already registered on the targeted website, the attacker can reinitiate the passkey registration process, or they can force the victim to downgrade to password-based authentication and then obtain the credentials. “For victims, it is enough to visit the website where they log in using passkeys with the malicious extension installed, or simply visit the website directly if it contains a client-side injection vulnerability (e.g., via XSS),” Singh explained. “No additional user interaction is required beyond normal registration and authentication.”