How Attackers Bypass Synced Passkeys

Oct 15, 2025Ravie LakshmananKnowledge Safety / Browser Safety

TLDR

Even in case you take nothing else away from this piece, in case your group is evaluating passkey deployments, it’s insecure to deploy synced passkeys.

• Synced passkeys inherit the chance of the cloud accounts and restoration processes that defend them, which creates materials enterprise publicity.
• Adversary-in-the-middle (AiTM) kits can pressure authentication fallbacks that circumvent robust authentication all collectively
• Malicious or compromised browser extensions can hijack WebAuthn requests, manipulate passkey registration or sign-in, and drive autofill to leak credentials and one-time codes.
• Machine-bound passkeys in {hardware} safety keys provide increased assurance and higher administrative management than synced passkeys, and must be obligatory for enterprise entry use instances

Synced Passkey Dangers

Synced passkey vulnerabilities

Passkeys are credentials saved in an authenticator. Some are device-bound, others are synced throughout gadgets by means of client cloud providers like iCloud and Google Cloud. Sync improves usability and restoration in low-security, consumer-facing situations, however shifts the belief boundary to cloud accounts and restoration workflows. The FIDO Alliance and Yubico, have each issued vital advisories for enterprises to judge this break up and to desire device-bound choices for increased assurance.

Operationally, synced passkeys broaden the assault floor in 3 ways:

1. Cloud account takeover or restoration abuse can authorize new gadgets, which then erodes the integrity of the credential.
2. If a consumer is logged in on their company gadget with their private Apple iCloud account, then passkeys created may very well be synced to their private accounts; this dramatically explodes the assault floor past enterprise safety boundaries.
3. Assist desk and account restoration change into the true management factors that attackers goal as a result of they’ll copy the identical protected keychain onto a brand new, unknown, and untrusted gadget.

Authentication downgrade assaults

See the “captured” session. (Picture supply: Proofpoint)

Proofpoint researchers documented a sensible downgrade towards Microsoft Entra ID the place a phishing proxy spoofs an unsupported browser, reminiscent of Safari on Home windows, Entra disables passkeys, and the consumer is guided to pick a weaker technique, reminiscent of SMS or OTP. The proxy then captures credentials and the ensuing session cookie and imports it to realize entry.

This menace vector is reliant on webAuthnpasskey’s uneven working system and browser assist and the id supplier’s (IdP) acceptance of weak authentication strategies in favor of a sensible UX consideration. It’s a basic adversary-in-the-middle (AitM) powered by coverage steering. It doesn’t break WebAuthn origin binding as a result of the platform by no means reaches a WebAuthn ceremony when a compatibility department disables it. Your weakest authentication technique defines your actual safety.

Quick mediation in WebAuthn is a function that permits websites to supply another authentication technique when WebAuthn is just not obtainable. That is helpful for UX however may also be abused by attackers to steer customers towards non-webAuthn paths if coverage permits them.

SquareX researchers confirmed {that a} compromised browser atmosphere can hijack WebAuthn calls and manipulate passkey registration or sign-in. The method doesn’t break passkey cryptography. It injects or intercepts the browser-side course of, for instance, by means of a malicious extension or an XSS bug, to reinitiate registration, pressure a password fallback, or silently full an assertion.

Chrome paperwork an extension API named “webAuthenticationProxy” that may intercept navigator.credentials.create() and navigator.credentials.get() strategies as soon as connected, then provide its personal responses. This functionality exists for distant desktop use instances, but it surely demonstrates that an extension with the precise permission can sit within the WebAuthn path.

Extensions additionally run content material scripts contained in the web page context, the place they’ll learn and modify the DOM and drive consumer interface flows, which embody invoking credential APIs from the web page.

Impartial analysis introduced at DEF CON described DOM-based extension clickjacking that targets the UI parts injected by password supervisor extensions. A single consumer click on on a crafted web page can set off autofill and exfiltration of saved information reminiscent of logins, bank cards, and one-time codes. The researcher reviews that in some situations, passkey authentication may also be exploited and lists susceptible variations throughout a number of distributors.

Machine-bound credentials are the one efficient enterprise resolution

Machine-bound passkeys are tied to a particular gadget, sometimes with personal key technology and utilization carried out in safe {hardware} elements. In enterprise, {hardware} safety keys present constant gadget indicators, attestation, and a lifecycle you may stock and revoke.

Steerage for an enterprise-grade passkey program

Coverage

• Require phishing-resistant authentication for all customers, and particularly these in privileged roles. Settle for solely device-bound authenticators that generate non-exportable credentials at registration and by no means depart the gadget. Credentials must be rooted in safe {hardware} and verifiably tied to the bodily gadget trying the login.
• Remove all fallback strategies reminiscent of SMS, voice calls, TOTP apps, e-mail hyperlinks, and push approvals. These exist to be exploited throughout social engineering and downgrade assaults. If a fallback exists, an attacker will pressure it. Make the robust path the one path.
• Guarantee common working system and browser assist for phishing-resistant, device-bound credentials. Do not provide alternate options – sure that is attainable, we’re comfortable to indicate you a demo with Past Id’s id protection platform. Common protection is critical for full protection since you’re solely as protected as your weakest hyperlink.

Browser and Extension Posture

• Implement extension allowlists in managed browsers. Disallow any extension that requests webAuthenticationProxy, activeTab, or broad content material script permissions.
• Constantly monitor extension installs and utilization developments for suspicious mass removals or unexplained permission escalations. Extension-level compromise is more and more indistinguishable from a reputable consumer. Lock down browser conduct as tightly as you’ll an endpoint.

Enrollment and Restoration

• Use high-assurance authenticators as the foundation of restoration. No assist desk, e-mail inbox, or name heart ought to be capable of bypass phishing-resistant controls. Restoration is usually the attacker’s entry level. Remove social engineering vectors and pressure policy-compliant reproofing.
• Solely enable for enrollment of device-bound credentials.
• Seize attestation metadata at registration, together with gadget mannequin and assurance degree. Reject unrecognized or unverifiable authenticators. Belief begins at registration. If you do not know what created the credential, you do not management entry.

Machine Hygiene & Runtime Protection

• Bind classes to trusted gadget context. A session cookie ought to by no means be a conveyable artifact. Runtime session enforcement ought to tie id to steady gadget posture, not simply an preliminary authentication.
• Implement steady authentication. If gadget posture, location, or safety standing adjustments, require reauthentication or deny entry. A login is just not a corridor cross. Danger is dynamic, authentication have to be too.
• Assume authentication makes an attempt with weak elements must be blocked by default. See how Past Id prospects immediately block id assaults primarily based on the easy incontrovertible fact that it isn’t a powerful credential trying entry.

What This Appears Like in Apply

The structure of an id safety system that provides uncompromising protection towards id, browser, and device-based assaults could be outlined by these three traits:

1. Machine-bound credentials: Credentials by no means depart the gadget. They’re non-exportable, hardware-backed, and can’t be synced or replayed elsewhere.
2. Steady belief: Authentication by no means stops at login. It continues all through the session, tied to posture indicators from the gadget.
3. Common endpoint hygiene enforcement: All endpoints are in scope. Even unmanaged gadgets have to be evaluated in actual time for threat posture and session integrity.

The underside line

Synced passkeys usually are not a pressure area that’s applicable for protection. They enhance usability for client use instances at the price of enterprise entry safety.

See extra in-action in an upcoming webinar, How Attackers Bypass FIDO: Why Synced Passkeys Fail and What To Do As a substitute the place Past Id will assessment how synced passkey failures occur and the way main safety groups, together with Snowflake and Cornell College, shut these paths.

Even if you cannot be part of, register and you will get the recording!