_ArtemisDiana_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
July 2, 2024 at 06:08PM
Many online accounts using passkey technology are still vulnerable to adversary-in-the-middle (AitM) attacks, allowing attackers to manipulate the login screen and remove passkey authentication. This discovery by security researcher Joe Stewart highlights the need for more secure authentication methods and account recovery options. Enterprises can mitigate this risk by implementing secure authentication flows and using IAM solutions to prevent authentication method redaction attacks.
Based on the meeting notes, the key takeaways are as follows:
– Passkey authentication technology for online accounts is vulnerable to adversary-in-the-middle (AitM) attacks, which can render passkeys ineffective in protecting accounts.
– Joe Stewart, principal security researcher at eSentire’s Threat Response Unit (TRU), highlights that the issue is not with passkeys themselves, but with their implementation and the lack of robust account recovery options.
– Many websites provide less-secure backup authentication methods, allowing attackers to manipulate the authentication flow and compromise accounts by removing passkey authentication options.
– Stewart demonstrated examples of how AitM attacks can be used to manipulate login pages and encourage users to choose less-secure authentication methods.
– Major platforms such as GitHub and Microsoft were found to be susceptible to these attacks, indicating a widespread issue among large retailers and cloud app providers.
– The vulnerability is not a flaw in passkey implementations but rather a result of authentication immaturity and the need for account recovery options.
– Stewart suggests that better implementations, such as using secure account recovery methods like “magic links” or “ward links,” could mitigate the risk of passkey redaction attacks.
– Enterprises can take steps to prevent compromise from passkey redaction by using conditional access policies, in-depth authentication flow configuration, and encouraging users to add multiple passkeys for account access.
Overall, the meeting notes emphasize the need for stronger authentication mechanisms and proactive measures to address the vulnerability of passkey authentication to AitM attacks.