Despite their growing popularity, passkeys are not as secure as many believe. According to Joe Stewart, principal security researcher at eSentire’s Threat Response Unit (TRU), many online accounts using passkeys can still fall victim to adversary-in-the-middle (AitM) attacks. This issue stems not from the passkeys themselves but from their implementation and the need for account recovery options.
Passkeys, a password-less authentication method, aim to provide secure access to online accounts like banking, e-commerce, and social media.
However, an eSentire study found that poor implementation of passkeys, such as less secure backup authentication methods, allows AitM attacks to bypass this security.
In these attacks, the adversary modifies the login prompts shown to users, controlling the authentication flow by altering the HTML, CSS, images, or JavaScript on the login page.
This manipulation can make the passkey option disappear, tricking users into using less secure backup methods like passwords.
Stewart’s research demonstrated how open-source AitM software, like Evilginx, can deceive users of services like GitHub, Microsoft, and Google. By slightly modifying scripts (phishlets) that capture authentication tokens and session cookies from real login pages, attackers can make users believe they are on the genuine site.
The attacker then captures the user’s credentials and authentication tokens, allowing them to maintain acc
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: