In the simplest of terms, passkeys are an alternative to passwords to provide unique and secure authentication for access to anything from a website, cloud network, application, or mobile device. You very likely have used a passkey at some point already, either for personal or professional reasons. Examples of a passkey that are familiar to many include a face scan, a thumbprint, or a screen lock. Other types of passkeys can include logins on separate devices, such as sending a unique code via text to confirm identity on a new or public machine. These authentication services are used by many different industries, including banking or financial, education, and medical.
Passkeys are Phishing Resistant – Not Phishing Proof
The one thing you need to know about passkeys is that they are not one hundred percent guaranteed to prevent phishing and other types of cyberattacks – nothing is totally hacker-proof. However, that being said, compared to other methods of logging into a website or account, passkeys offer a strong combination of security and user-friendly convenience, making them an excellent tool in the fight against cybercrime. Eliminating the need for a password, which can be very weak and easily hack-able in many instances, allows for the use of stronger authentication to further enhance overall security.
Some of the companies that utilize passkeys include popular technology-based services, such as PayPal, Amazon, Microsoft, and Google. In fact, studies show that hundreds of websites are now supporting passkeys for a more secure authentication process. Depending on the type of passkey that is used, it can be very challenging – if not impossible – to hack them. Biometrics, which include facial recognition or thumbprints, mean that even if the mobile device you are using to login is stolen, your passkey remains secure. Password-based attacks are some of the most common types of cyber attacks currently in-use today, especially when it comes to social engineering and phishing attacks against businesses.
What is the Problem with Passkeys?
Cybersecurity experts are ringing the bell about concerns regarding the use of passkeys and how attackers can potentially delete the passkey requirement and force the user to login via less secure methods. One way that this is achieved is through the use of an AitM attack, otherwise known as the “adversary in the middle” method. What this does is to present the user with a login page that looks familiar or resembles the general login page for the website or program that is being used. One example would be a mockup of a Google Gmail login that a user would not think twice about seeing and might assume was due to an update, upgrade, or re-authentication requirement.
The hacker presents this fake page, which has the passkey option deleted, and requires them to login through the use of a password, which can be easily stolen. There aren’t many instances of this activity being reported right now, but that is only because passkeys are still so new. Not all websites and services require them, not all users are adopting them, and the technology is still in its early stages. Once it becomes more prevalent, it is highly likely that more cyber attackers will be using this AitM method to fake out users and take over their password and access to the account, application, or network.
Things you need to know about passkeys and AitM attacks:
- The passkey can help to defend itself against AitM attacks, even automated attacks, put out there to try and fake out the user.
- The goal of a passkey is to prevent an attacker from getting “in the middle,” hence the name of AitM attacks, of everything.
- The private passkey is stored on a device and must match precisely with the domain’s public key, ensuring that phishing domains are rejected to prevent access.
How Easy Is It to Hack a Passkey Authentication?
White hat hackers have revealed that it is relatively easy to hack a passkey requirement with a new spin on the basic AitM attack known as the “get it outta there” approach. What this does is to modify the HTML of the webpage or add JavaScript to it that eliminates the passkey authentication option entirely. Even if the user tries to access it again in some other way, it would not be available to them as an option. Popular phishing kits can be used to manipulate the login page as it is proxied to the end user through one of the modifications mentioned above, making it relatively quick and easy to get the job done.
As far as the end user is concerned, there is really nothing to alert them of the change, except that the passkey login requirement and options are removed. When it comes to companies that utilize passkey authentication, regular training and ongoing IT support can help to prevent mistakes that have the potential to allow hackers into the network, similar to other types of phishing and spear phishing attacks. It is essential to stay on top of the latest cyber attack methods so you can keep your team apprised of what they need to look out for when it comes to threat actors that might be trying to access your company data.
What Can You Do to Prevent AitM Attacks on Passkeys?
If your company uses passkeys for secure authentication it is critical to work with a reputable company to provide you with a variety of innovative technology solutions designed to protect company data and network access. It is human nature to resort to the next-best option when passkey authentication has been removed, which is the classic username and password route. However, when under threat of an attacker, use of this method would give the login data to the hacker, along with all of the cookies used for authentication, potentially allowing persistent access to the account.
One way to thwart this is through the use of backup secure authentication tools outside of the username and password method. These options should exist outside of the compromised “in the middle” pathway, such as a link that is sent via email, to get your team members to the proper domain link instead of the spoofed login. While these attacks are not very common right now, the technology is spreading quick enough for it to be a concern. One study shows that more than half of respondents in the US and UK to a survey about passkeys stated that they had enabled passkeys on at least one of their login accounts. And approximately 22 percent of those respondents stated that they used passkeys whenever they were made available – on every device and account.
Education, Training, and Ongoing Support
One of the ways that you can prevent attacks like this from being successful is by providing your team members with the education and training they need to learn how to spot a fake login or understand how this type of attack can occur before it happens. You and your technology team should provide a variety of alternate recovery options outside of the basic password, including thumbprints and facial verification. At Synivate, we offer a variety of tools, services, and support, including education and training programs for you and your staff. We also provide ongoing support, either via phone call or online, to ensure that your staff has answers to their questions and concerns 24 hours a day, 7 days a week.
Are Passkeys the Secure Authentication Solution for Your Company?
If you are interested in learning more about the various types of passkeys and other secure authentication services for your organization, give us a call at 617-517-0704. We can answer any questions you might have about passkeys and secure authentication, as well as offer insight into our various education and training programs. When it comes to cybersecurity and protecting your company’s essential data, you can never be too careful.
We also offer a range of monitoring and management services designed to help augment your existing IT solutions or to offer IT services to small and newly launched businesses that might not have the budget for a full-time IT department. Give us a call today for a FREE consultation or to get started using one of our professional services designed to assist you in growing your business, while protecting your important data.