Passkeys Via AitM Phishing Attacks

Hackers abuse phishing attacks as they are highly effective and low-cost methods for deceiving users into revealing sensitive information.

Despite the recent surge in passkey adoption by large tech firms, Joe Stewart of Esentire discovered that several online platforms are still susceptible to Adversary-in-the-Middle (AitM) phishing attacks even with passkey technology.


This deficiency arises from incorrect use of partial alternatives mainly keeping unsecure backup applications.

Passkeys Via AitM Phishing Attacks

Attackers can take advantage of this situation by tampering with login processes to eliminate passkey references, causing users to rely on insecure authentication methods.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

To guarantee safety for passkeys on online service provision, these should be properly implemented and their less secure counterparts done away with completely.

Attack chain (Source – Esentire)

The use of Evilginx, an open-source Man-in-the-Middle (MitM) tool, was demonstrated showing that such attackers can bypass passcode security on platforms like GitHub.

Threat actors can remove passkey options in login pages and force users to rely on weak authentication methods.

They can still capture credentials and access tokens by using alternative authentication methods, even when passkeys are used as a second factor.

This vulnerability underscores the importance of properly implementing second-factor authentication mechanisms and eliminating less secure alternatives to guarantee robust protection against phishing attacks achieved through AitM.

Most of the passkey implementations by big companies like Microsoft still suffer from Adversary-in-the-Middle (AitM) attacks as they do not censor their authentication methods. 

Users are not very familiar with passkeys, and fallback options are less secure. 

Passkey authentication flow (Source – Esentire)

Although offerings such as Microsoft’s Entra ID for businesses do afford some protection through Conditional Access policies, user accounts in the consumer space often lack robust security measures. 

However, this may cause a challenge to account recovery needs since a device may have problems and consequently lose a passkey. Although password managers can be useful for providing passwords in a small part, they introduce another form of security dependence. 

Less secure alternatives must be eliminated and users should be educated about the use of passkeys so that an actually safe AitM-resistant passkey system is set up.

Numerous security measures used in examining the current backup verification approaches of passkey-protected accounts often compromise safety.

Social recovery and document verification could be resistant to AitM if done right, but they are impractical and have their inherent dangers.


Here below we have mentioned all the recommendations:-

  • Design authentication flows with AitM attack awareness.
  • Treat all login sessions as potentially compromised.
  • Red team tests authentication flows using tools like Evilginx.
  • Encourage multiple passkey registrations per user.
  • Offer passwordless options with sufficient passkeys.
  • Balance UX and security in login and recovery processes.
  • Consider the second passkey as an alternative authentication.
  • Implement UEBA for phished credential detection.
  • Use 24/7 MDR for continuous protection and threat mitigation.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.