Passkey implementations by Google, Amazon, Microsoft vulnerable to AitM attacks, research

Attackers can proxy login pages removing mention of passkeys and prompting users to resort to passwords, finds eSentire

John Leonard
clock • 4 min read
Passkey implementations by Google, Amazon and Microsoft vulnerable to AitM attacks, research
Image:

Passkey implementations by Google, Amazon and Microsoft vulnerable to AitM attacks, research

Passkeys have surged in popularity in recent months as organisations recognise them as an effective way to combat phishing attacks, and with major tech companies such as Apple, Microsoft and Google promoting their adoption.

Based on FIDO [Fast Identity Online] standards, passkeys are designed as a replacement for passwords. They are the equivalent of hardware keys, the best known being the Yubikey, but are present on ...

To continue reading this article...

Join Computing

  • Unlimited access to real-time news, analysis and opinion from the technology industry
  • Receive important and breaking news in our daily newsletter
  • Be the first to hear about our events and awards programmes
  • Join live member only interviews with IT leaders at the ‘IT Lounge’; your chance to ask your burning tech questions and have them answered
  • Access to the Computing Delta hub providing market intelligence and research
  • Receive our members-only newsletter with exclusive opinion pieces from senior IT Leaders

Join now

 

Already a Computing member?

Login

You may also like
WhatsApp adds passkeys on Android

Security

WhatsApp adds passkeys on Android

Another app dropping passwords

clock 18 October 2023 • 1 min read
GitHub announces passwordless authentication trial

Security Technology

GitHub announces passwordless authentication trial

The trial can be considered a milestone in the long demise of passwords

clock 13 July 2023 • 2 min read
Google takes big step towards 'passwordless'

Security Technology

Google takes big step towards 'passwordless'

Passkeys differ from passwords in that they can only exist on the user's devices and cannot be written down or inadvertently disclosed to malicious actors

clock 04 May 2023 • 2 min read
John Leonard
Author spotlight

John Leonard

View profile
More from John Leonard

Cyber? We can't get the staff say UK IT leaders

EU accuses Meta of violating competition rules with 'pay-or-consent'

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Threats and Risks

Passkey implementations by Google, Amazon, Microsoft vulnerable to AitM attacks, research
Threats and Risks

Passkey implementations by Google, Amazon, Microsoft vulnerable to AitM attacks, research

Attackers can proxy login pages removing mention of passkeys and prompting users to resort to passwords, finds eSentire

John Leonard
John Leonard
clock 04 July 2024 • 4 min read
Cobalt Strike servers disrupted in major cybercrime operation
Threats and Risks

Cobalt Strike servers disrupted in major cybercrime operation

'Operation MORPHEUS' targeted unlicensed versions of the legitimate security tool

Dev Kundaliya
clock 04 July 2024 • 3 min read
Intel processors threatened by new CPU side channel attack
Threats and Risks

Intel processors threatened by new CPU side channel attack

Exploits weaknesses in two key components

Dev Kundaliya
clock 03 July 2024 • 2 min read