We’ve been told that passkeys are the future of authentication. And for good reason. They’re built on the FIDO2/WebAuthn standard, they’re resistant to phishing, and they’re backed by the biggest names in tech. But as we’ve learned time and time again in the security world, there’s no such thing as a silver bullet.
As passkey adoption reaches critical mass in 2025, attackers are shifting their focus. They’re no longer trying to brute-force their way into our accounts. Instead, they’re finding sophisticated new ways to bypass the very technology that was designed to stop them.
In this deep dive, we’ll explore three of the most common ways that attackers are bypassing passkeys in 2025.
### Attack 1: Manipulating the Relying Party
The first and most common attack vector is to manipulate the relying party (RP). The RP is the website or application that the user is trying to log into. If the RP has a vulnerability, an attacker can exploit it to bypass the passkey authentication process.
One of the most common vulnerabilities is a misconfiguration in the RP’s WebAuthn library. For example, if the RP doesn’t properly validate the attestation statement from the authenticator, an attacker could potentially forge a statement and trick the RP into accepting a fake passkey.
Another common vulnerability is a failure to properly enforce user verification. For example, if the RP doesn’t require the user to enter a PIN or use their biometrics, an attacker could potentially use a stolen device to log into the user’s account.
### Attack 2: Advanced Man-in-the-Middle (MitM)
The second attack vector is the advanced man-in-the-middle (MitM) attack. In a traditional MitM attack, the attacker intercepts the communication between the user and the RP. But with passkeys, this is much more difficult to do. The FIDO2/WebAuthn standard uses public-key cryptography to protect the communication between the user and the RP.
However, attackers are now using tools like Evilginx3 to proxy the passkey authentication flow. In this scenario, the attacker sets up a fake website that looks identical to the real RP. When the user tries to log into the fake website, the attacker intercepts the authentication request and forwards it to the real RP. The real RP then sends a challenge to the user’s authenticator. The user’s authenticator signs the challenge and sends it back to the real RP. The attacker intercepts the signed challenge and forwards it to the real RP. The real RP then logs the user in and sends a session token to the attacker. The attacker now has a valid session token and can access the user’s account.
### Attack 3: Platform Vulnerabilities
The third attack vector is to exploit vulnerabilities in the underlying platform. This could be a vulnerability in the user’s operating system, browser, or even the secure enclave or trusted execution environment (TEE) on their device.
For example, if an attacker can find a bug in the device’s secure enclave, they could potentially extract the private keys that are used to generate the passkeys. Or, if they can find a bug in the user’s browser, they could potentially inject malicious code that would allow them to bypass the passkey authentication process.
### Building Resilient Systems
So what can we do to protect ourselves from these new attacks? The answer is to build resilient systems that are designed to withstand the inevitable failures of individual components. Here are some key principles:
* **Proper server-side implementation:** Make sure your RP is properly configured and that you’re using a FIDO-certified WebAuthn library.
* **Continuous monitoring:** Monitor your authentication events for suspicious activity. Look for things like multiple failed login attempts, logins from unusual locations, and logins from devices that you don’t recognize.
* **Defense-in-depth:** Don’t rely on a single security control. Use a combination of controls, including passkeys, multi-factor authentication, and strong password policies.
### The Future of Authentication
Passkeys are a major step forward in the evolution of authentication. But they are not a silver bullet. As we move into the passwordless future, we need to be vigilant. We need to understand the new attack vectors that are emerging, and we need to build resilient systems that are designed to withstand them. The security of our digital lives depends on it.
0 Comments