Recent warnings from the FIDO Alliance and Yubico have highlighted the insecurity of implementing synchronized passkeys in organizational environments. Although these credentials offer convenience for the user through synchronization via cloud services like iCloud or Google Cloud, they also significantly expand the attack surface, increasing vulnerability to man-in-the-middle attacks and phishing techniques.
Passkeys: the double-edged sword
Researchers have demonstrated that compromised browser environments can manipulate WebAuthn logs and accesses without compromising the cryptography of passkeys. This is achieved through malicious extensions or by exploiting existing vulnerabilities, allowing attackers to perform actions such as code injection or hijacking authentication processes. The security of the implementation is compromised, particularly when users are induced to select weaker authentication methods, such as SMS or OTP, by a malicious proxy that intercepts communication.
In contrast, device-linked passkeys, which generally require secure hardware components for their generation and use, offer more robust control over device signals and lifecycle management. This approach not only enhances security but also allows organizations to conduct more effective audits of their authentication systems.
Therefore, both the FIDO Alliance and Yubico recommend that companies reconsider the implementation of synchronized passkeys, opting instead for solutions that are tied to devices to ensure greater protection. The convenience offered by synchronized passkeys should not compromise the integrity of access security in business environments.