Adversary-in-the-Middle attacks can subvert passkey protections

Soojin Jeong, Nathan Salminen
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

Backup authentication methods create a vulnerability in passkey protection to adversary-in-the-middle attacks.

Security protections from passkey authentication can still potentially be subverted by attackers.

Passkeys are a virtual alternative to the physical hardware (such as a Yubikey) that companies sometimes use for authentication.  They have become an increasingly popular and promising form of user authentication. When implemented correctly, passkeys are more convenient and secure than many multi-factor authentication methods. However, the need for backup verification methods can still leave accounts susceptible to adversary-in-the-middle (AitM) attacks.

An AitM phishing attack allows the attacker to control a user’s login session and manipulate the HTML to change the appearance of the login screen. To subvert the passkey protection, an attacker can remove the option to authenticate via passkey and force the user to authenticate via a backup method. Most backup verification methods are vulnerable to AitM attacks because the code or password is entered in the attacker-controlled session, where the attacker can steal user credentials.

The option to use a less secure backup method of authentication can be a practical necessity for most organizations in case devices get lost or reset. Given that constraint, passkeys do not fully eliminate the vulnerability to AitM attacks.

Still, organizations can take measures to reduce this risk. One potential method is using conditional access policies to allow login only via compliant devices, but not every organization’s infrastructure will accommodate this configuration. The most secure method is to have users set up a second set of passkeys as the backup authentication method, but this may prove challenging to implement given users’ lack of familiarity with passkeys.

Magic links are likely the most user-friendly and protective backup verification method currently available. A magic link is resistant to AitM attacks because it has the user “break out” of the attacker-controlled session and start a new login session without attacker interference. Organizations can bolster the security of these magic links with additional features such as allowing login only from previously authenticated IP addresses.  

Ultimately, each organization will need to find an appropriate balance between resisting AitM attacks and promoting a user-friendly experience.

Summer associate Zeke Tobin contributed to this article.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide