As cybersecurity continues to evolve, hackers have harnessed the power of Adversary-in-the-Middle (AitM) phishing attacks. Despite tech giants widely adopting passkeys, Joe Stewart from Esentire has identified vulnerabilities in online platforms, revealing that users remain susceptible to these advanced threats.
Passkeys, designed as a robust alternative to passwords, fall short when improperly implemented. Attackers exploit this by manipulating login processes, eliminating passkey options, and forcing users to revert to insecure methods. This was demonstrated using Evilginx, an open-source MitM tool, showing how platforms like GitHub can be compromised.
The core issue lies in the incorrect use of backup applications and the lack of comprehensive passkey implementation. Even with passkeys as a second factor, attackers can capture credentials and access tokens through alternative methods, underscoring the need for fully secure authentication mechanisms.
Big companies, including Microsoft, are not immune. Their systems still suffer from AitM attacks due to the presence of less secure fallback options. Although solutions like Microsoft’s Entra ID offer some protection, consumer accounts often lack robust measures.
It is essential to implement passkeys comprehensively and eliminate any insecure alternatives to secure them effectively. Experts recommend several strategies to achieve this: design authentication flows with awareness of AitM threats, assume all login sessions could be compromised, and conduct rigorous red team tests with tools like Evilginx. It is also vital to encourage users to register multiple passkeys, strike a balance between user experience and security, and maintain continuous monitoring with 24/7 threat detection.
Educating users about passkeys and their secure use is imperative for establishing an AitM-resistant system, paving the way for a safer digital environment.
