Adversary-in-the-middle (AitM) attacks are exposing vulnerabilities in passkey authentication. By stripping passkey options from login pages users are forced to rely on less secure authentication methods. This makes their accounts susceptible to compromise. Joe Stewart from eSentire’s Threat Response Unit highlights that the problem lies not in the passkeys themselves. But in their implementation and the need for account recovery options. Attackers can manipulate login screens to remove the passkey option. This leaves users with insecure alternatives that are easily intercepted.
The vulnerability impacts various platforms, including GitHub and Microsoft. In a proof-of-concept attack, Stewart demonstrated how attackers could use Evilginx AitM software to alter a GitHub login page, effectively removing the passkey option and forcing users to input their credentials. Even Microsoft’s new “passwordless” option isn’t immune, as it relies on the Microsoft Authenticator app, which is still vulnerable to AitM attacks.