Security researchers at SquareX, an enterprise browser security firm, have revealed a method that allows attackers to bypass passkey-based authentication and impersonate users.

Passkeys are designed as a more secure alternative to passwords, leveraging private keys stored directly on a user’s device. Users can authenticate using PINs, facial recognition, or fingerprint scans. Tech giants like Microsoft, Amazon, and Google have increasingly promoted passkeys as a phishing-resistant authentication method, since fake websites cannot trick users into revealing their credentials.

However, at DEF CON 2025, SquareX researchers demonstrated that under certain conditions, passkeys can be circumvented—not by breaking their underlying cryptography, but by exploiting vulnerabilities in the browser environment to manipulate the WebAuthn process.

How the Attack Works
The attack targets WebAuthn, the standard API that enables passkey authentication on websites and applications. Attackers can forge both the registration and login processes by injecting JavaScript that hijacks the WebAuthn API. This allows them to impersonate the user and bypass passkey security, even in cases where Face ID or other biometric methods are in use, without needing access to the physical device.

To execute the attack, a threat actor must either:

1. Convince the victim to install a malicious browser extension, often disguised as a legitimate or helpful tool.
2. Exploit a client-side vulnerability on the target website, such as an XSS bug, that allows for JavaScript injection.

Once the malicious code is in place, the attacker can manipulate the passkey registration and authentication flows. For example, if a user has already registered a passkey, the attacker can restart the registration process or force the victim to revert to password-based authentication to obtain their credentials.

As Shourya Pratap Singh, Principal Software Engineer at SquareX, explains:

“For victims, it is sufficient to visit the website where they log in using passkeys with the malicious extension installed, or simply visit a website vulnerable to client-side injection (e.g., XSS). No further user interaction is required beyond the normal login or registration process.”

This research highlights that while passkeys improve security against phishing, the browser environment and client-side vulnerabilities remain critical points of attack. Organizations and users alike must remain vigilant and ensure browser extensions are trusted and web applications are protected against XSS and similar exploits.

Source: https://www.securityweek.com/passkey-login-bypassed-via-webauthn-process-manipulation