While online accounts are increasingly protected by passkey technology, it turns out that many banking, e-commerce, social media, website domain name administration, software development platforms, cloud accounts, and more can still be compromised using adversary-in-the-middle attacks that make passkeys moot.
That's according to Joe Stewart, principal security researcher with eSentire's Threat Response Unit, who says the problem lies not in the passkeys themselves but in their implementation and the need for account recovery options.
Many websites provide less-secure backup authentication methods in the event a user has an issue with their passkey or a lost device, so that accounts don't become unrecoverable.
Attackers can take advantage of this by simply inserting themselves between the user and the website as they would in any AitM scenario, then manipulating what the login screen looks like so that the user isn't given the passkey option at all.
Using this strategy, they can force a target to downgrade to a less-secure alternative that can be intercepted by the lurking adversary.
In another scenario where a passkey is used as a second factor of authentication, Stewart found that once again, it's trivial to rewrite the HTML of the page to delete the second-factor passkey authentication method altogether.
In a third scenario using a Microsoft consumer account, the passkey sign-in option can again be hidden.
As mentioned, GitHub and Microsoft are not alone; most large retailers and cloud app providers have the same issue.
Not a Vulnerability but a Sad Reality Stewart stresses that authentication method redaction attacks succeed not because there are flaws in passkey implementations or because of security bugs but because of authentication immaturity in general.
For one, most users aren't familiar enough with passkeys yet and don't know how to recognize when a page might be manipulated; for another, implementers may not be aware of how AitM can modify the login view.
The fact remains that offering account recovery options is a must; passkeys are housed on hardware devices so if the device is lost, then there needs to be another way to access the account.
When his team contacted some of the affected vendors, they appreciated the information, he says - but there remains some exasperation with how difficult it is to level up on authentication methods in the consumer realm.
The one caveat is that this method is only as secure as an email inbox or the SMS network, which are common targets for attackers as well.
For that reason, Stewart advocates using extra security layers, such as making sure these are auto-generated one-time links with short timeouts, and that logins are permitted from previously authenticated IP addresses only.
On a positive note, some of the providers the team talked to were open to considering such new approaches to thwart AiTM attacks, he adds.
How Enterprises Can Prevent Compromise From Passkey Redaction Beyond the obvious, security teams within organizations have a few options for shoring up defenses against forced authentication downgrades, Stewart notes, including using the aforementioned magic and ward links.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 02 Jul 2024 22:10:10 +0000