Passkeys, based on the FIDO2/WebAuthn standards, have been hailed as the silver bullet that will finally kill the password. And for good reason. They are phishing-resistant, user-friendly, and have the potential to significantly improve the security of our online lives. But as with any new technology, it’s only a matter of time before attackers find ways to bypass it.
This deep-dive analysis will explore three ways that attackers are bypassing FIDO2/WebAuthn in 2025. We’ll examine how they are manipulating the Relying Party, using advanced Man-in-the-Middle (MitM) attacks, and exploiting platform vulnerabilities. We’ll also provide guidance on how to build resilient systems that can withstand these attacks.
## Attack 1: Manipulating the Relying Party
The Relying Party (RP) is the server-side component of the FIDO2/WebAuthn architecture. It’s responsible for registering and authenticating users. A misconfiguration in the RP can create a vulnerability that allows an attacker to bypass the security of Passkeys.
For example, a hypothetical CVE in a popular WebAuthn library could weaken the attestation checks. Attestation is the process of verifying the authenticity of the authenticator (e.g., a YubiKey or a smartphone). If an attacker can bypass this check, they can use a fake authenticator to impersonate a legitimate user.
To mitigate this risk, it’s essential to use a FIDO-certified WebAuthn library and to follow the best practices for server-side implementation. This includes properly configuring attestation checks and using a strong form of attestation, such as direct anonymous attestation (DAA).
## Attack 2: Advanced Man-in-the-Middle (MitM) Attacks
One of the key benefits of Passkeys is that they are resistant to traditional phishing attacks. However, they are not immune to advanced Man-in-the-Middle (MitM) attacks. In a MitM attack, the attacker positions themselves between the user and the RP and proxies the authentication flow.
Tools like Evilginx3 have made it easier than ever to carry out MitM attacks. With Evilginx3, an attacker can create a convincing phishing site that proxies the Passkey authentication flow and steals the user’s session token. Once the attacker has the session token, they can impersonate the user and access their account.
To mitigate this risk, it’s important to use a FIDO-certified authenticator that supports user presence checks. This will require the user to physically interact with the authenticator (e.g., by tapping it) before they can be authenticated. This makes it much more difficult for an attacker to carry out a MitM attack.
## Attack 3: Platform Vulnerabilities
The security of Passkeys is also dependent on the security of the underlying platform. A vulnerability in the device’s Secure Enclave or Trusted Execution Environment (TEE) could potentially allow an attacker to extract or use a synced Passkey without authorization.
For example, a bug in the TEE could allow an attacker to bypass the user authentication mechanism and access the Passkey. This would allow the attacker to impersonate the user and access their account.
To mitigate this risk, it’s important to use a device with a FIDO-certified authenticator and to keep the device’s operating system and firmware up to date. It’s also important to be aware of the latest platform vulnerabilities and to take steps to mitigate them.
## Building Resilient Systems
Passkeys are not a silver bullet, but they are a significant step forward in the fight against phishing and other online threats. By understanding the risks and taking steps to mitigate them, you can help to ensure that your organization is well-protected against the next generation of authentication attacks.
Here are a few key takeaways:
* **Use FIDO-certified solutions:** Use FIDO-certified WebAuthn libraries and authenticators to ensure that you are using a secure and interoperable solution.
* **Follow best practices for server-side implementation:** Properly configure attestation checks and use a strong form of attestation to prevent RP manipulation.
* **Use authenticators with user presence checks:** This will help to mitigate the risk of MitM attacks.
* **Keep your platforms up to date:** This will help to protect you against platform vulnerabilities.
* **Monitor authentication events:** Continuously monitor authentication events to detect and respond to suspicious activity.
By following these best practices, you can build a resilient authentication system that can withstand the ever-evolving threat landscape. The future of authentication is here, but it’s up to us to make it a secure one.
0 Comments