GitHub, Microsoft Passkey Vulnerabilities Exposed 

Adversary-in-the-middle (AitM) attacks are exposing vulnerabilities in passkey authentication by stripping passkey options from login pages. That forces users to rely on less secure authentication methods, making their accounts susceptible to compromise. Joe Stewart from eSentire’s Threat Response Unit highlights that the problem lies not in the passkeys themselves but in their implementation and the need for account recovery options. Attackers can manipulate login screens to remove the passkey option, leaving users with insecure alternatives that are easily intercepted.

The vulnerability impacts various platforms, including GitHub and Microsoft. In a proof-of-concept attack, Stewart demonstrated how attackers could use Evilginx AitM software to alter a GitHub login page, effectively removing the passkey option and forcing users to input their credentials. Even Microsoft’s new “passwordless” option isn’t immune, as it relies on the Microsoft Authenticator app, which is still vulnerable to AitM attacks.