This post is also available in:
עברית (Hebrew)
A recent investigation by Proofpoint security researchers has revealed a serious vulnerability in passkey-based authentication systems, raising concerns over their current level of protection against phishing attacks.
Passkeys, built on the FIDO2 standard, are designed to eliminate the need for passwords by using things like fingerprint or facial scanning and are widely promoted as a more secure, phishing-resistant alternative. However, the research shows that attackers can bypass this method entirely by exploiting gaps in compatibility across devices and browsers—effectively downgrading users back to traditional, less secure login methods.
According to the report, the core issue lies in the inconsistent support for passkeys across various platforms. For instance, a user attempting to log in to a Microsoft account with Safari on Windows won’t be able to use a passkey. Attackers can mimic this scenario by spoofing an unsupported user agent, tricking the user to using fallback options such as passwords and multi-factor authentication (MFA).
Using a customized phishing tool (known as a “phishlet”), researchers demonstrated how this downgrade can be weaponized. The attack begins with a malicious link delivered through common vectors such as email or text. Once the user clicks the link and encounters a simulated error, they are prompted to select an alternative sign-in method.
Choosing another method—like entering a password or using an authentication app—opens the door for attackers to intercept credentials and session cookies. With the session cookie in hand, an attacker can hijack the session, gaining full access to the account without needing to reauthenticate.
While there’s no evidence yet of this technique being exploited in the wild, researchers warn that the vulnerability is significant. As long as older login methods remain active alongside passkeys, the risk persists.
Security experts emphasize the need for organizations to limit fallback options and push for more consistent passkey support across platforms to close this loophole.
