Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Recently, many online services, such as banks, online stores, social networks, and software development platforms, have started using Passkey technology to protect their accounts instead of traditional passwords.
Passkey is an authentication technology based on cryptographic keys stored on the device. Unlike regular passwords, Passkey password keys provide the highest level of security, as they are unique for each device and account. They are difficult to pick up or fake, and they are also protected from phishing because they are linked to a specific site or service.
However, despite all the advantages of Passkey technology, according to researcher Joe Stewart of eSentire, all these security measures do not protect against Adversary-in-the-Middle (AitM) attacks, which can easily bypass Passkey authentication.
The problem lies not in the Passkeys themselves, but in their implementation and the need for fallback authentication options. Many sites offer less secure ways to restore your account if you lose your Passkey or device.
In turn, during an AitM attack, attackers can take advantage of this, for example, by changing the appearance of the authorization screen in a particular service, so that the user is not given the choice of authentication via Passkey at all.
In fact, this is how AitM attacks work: attackers "wedge" between the user and the legitimate site that they are trying to access by modifying HTML, CSS, and JavaScript on the login page. This allows them to control the authentication process and remove any mention of Passkey, leaving only less secure options that can be easily intercepted.
eSentire's Stewart even gave a real-world example where he used Evilginx software to change the GitHub login page by removing the "Sign in with Passkey" button, which forced the user to enter the traditional username and password. Stewart also noted that the problem affects not only GitHub and Microsoft, but also most major retailers and cloud services.
The researcher emphasizes that an attack on authentication by editing login pages is not a direct vulnerability of Passkey. Such attacks are more likely to indicate the immaturity of authentication methods in general. Many users are not familiar with Passkey and may not recognize manipulations on the login page. At the same time, developers may not know how AitM attacks change the appearance of the login page.
To increase security, Joe Stewart recommends using Magic Link to restore access to your account when a unique temporary link is sent to the user's email address, allowing you to log in automatically without interacting with the phishing login window.
Also, it is not superfluous to implement hardware keys in the authorization process, strictly prescribe access policies, use complex passwords for backup authentication methods, and allow users to use several Passkey keys at once, so that if one of them is lost, they do not have to use less secure methods.
• Source: https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks
Passkey is an authentication technology based on cryptographic keys stored on the device. Unlike regular passwords, Passkey password keys provide the highest level of security, as they are unique for each device and account. They are difficult to pick up or fake, and they are also protected from phishing because they are linked to a specific site or service.
However, despite all the advantages of Passkey technology, according to researcher Joe Stewart of eSentire, all these security measures do not protect against Adversary-in-the-Middle (AitM) attacks, which can easily bypass Passkey authentication.
The problem lies not in the Passkeys themselves, but in their implementation and the need for fallback authentication options. Many sites offer less secure ways to restore your account if you lose your Passkey or device.
In turn, during an AitM attack, attackers can take advantage of this, for example, by changing the appearance of the authorization screen in a particular service, so that the user is not given the choice of authentication via Passkey at all.
In fact, this is how AitM attacks work: attackers "wedge" between the user and the legitimate site that they are trying to access by modifying HTML, CSS, and JavaScript on the login page. This allows them to control the authentication process and remove any mention of Passkey, leaving only less secure options that can be easily intercepted.
eSentire's Stewart even gave a real-world example where he used Evilginx software to change the GitHub login page by removing the "Sign in with Passkey" button, which forced the user to enter the traditional username and password. Stewart also noted that the problem affects not only GitHub and Microsoft, but also most major retailers and cloud services.
The researcher emphasizes that an attack on authentication by editing login pages is not a direct vulnerability of Passkey. Such attacks are more likely to indicate the immaturity of authentication methods in general. Many users are not familiar with Passkey and may not recognize manipulations on the login page. At the same time, developers may not know how AitM attacks change the appearance of the login page.
To increase security, Joe Stewart recommends using Magic Link to restore access to your account when a unique temporary link is sent to the user's email address, allowing you to log in automatically without interacting with the phishing login window.
Also, it is not superfluous to implement hardware keys in the authorization process, strictly prescribe access policies, use complex passwords for backup authentication methods, and allow users to use several Passkey keys at once, so that if one of them is lost, they do not have to use less secure methods.
• Source: https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks
