How Attackers Bypass Synced Passkeys

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/10/how-attackers-bypass-synced-passkeys.html

ONE SENTENCE SUMMARY:

Synced passkeys pose significant security risks for enterprises, emphasizing the need for device-bound credentials and phishing-resistant authentication methods.

MAIN POINTS:

1. Synced passkeys increase enterprise risk due to cloud account vulnerabilities.
2. Adversary-in-the-middle attacks can circumvent strong authentication via downgrade tactics.
3. Browser extensions can hijack WebAuthn requests, compromising passkey security.
4. Device-bound passkeys provide higher security assurance than synced versions.
5. Synced passkeys expand the attack surface through account takeovers or recovery abuses.
6. Fallback authentication methods are susceptible to social engineering and should be eliminated.
7. Continuous authentication is necessary to maintain security throughout a session.
8. Enforce strict browser and extension policies to mitigate security threats.
9. High-assurance authenticators should be the basis for enrollment and recovery processes.
10. Architecture must include device-bound credentials and universal endpoint hygiene.

TAKEAWAYS:

1. Prefer device-bound passkeys for enterprise environments over synced passkeys.
2. Eliminate fallback methods like SMS and email for stronger security.
3. Continuous authentication is essential for dynamic threat response.
4. Enforce rigorous control over browser extensions to prevent vulnerabilities.
5. High-assurance authentication is critical for secure enrollment and recovery.