Phishing-Resistant Passkeys Shown To Be Phishable At DEF CON 33
HOUSTON, Aug. 12, 2025 /PRNewswire/ -- In Las Vegas this past weekend, researchers from Allthenticate demonstrated an effective phishing attack against "phishing-resistant" synced passkeys. The attack is executed by relaying input from a phishing website to log in to a local instance of the password manager (e.g., Chrome or Bitwarden). Once the attacker is logged into the password manager, they have complete control over the victim's passwords and passkeys. The passkeys, in this instance, are especially lethal since websites do not require a second factor when logging in – ultimately making passkeys even riskier than traditional passwords. To make matters worse, the attacker also has the ability to permanently lock the victim out of all their accounts by exporting and deleting the user's stored credentials. The team published all of their findings and analysis on .
"This is not a fundamental problem with FIDO2," said Dr. Chad Spensky, the lead researcher on the project. "Only 'synced' passkeys are putting users at risk. 'Device-bound' passkeys, which never leave the device they were created on, are in fact unphishable for all practical purposes." Chad stressed that "the original specification only supported device-bound keys and was only amended to support synced keys a few years ago. I don't think many users realize that this bait and switch happened and the associated risks that come with it."
Arshad Noor, CTO of StrongKey, emphasized that "a cardinal principle of public-key cryptography (PKC) has been to never give up control of one's private key ... While we may crave convenience in many aspects of our lives, there is a line we must preserve if we wish to choose control over our independence and destiny." It is important that users are able to make informed, intelligent decisions about the risks that they are taking. Having clear indicators about the type of passkey being used (synced vs. device-bound) and the ability for service providers to restrict passkeys to device-bound only is critical for the future of passkeys and for our security as a society.
About Allthenticate
Allthenticate creates usable and secure authentication products. The Allthenticator app, an all-in-one authenticator, is free for personal use and lets users store "device-bound" passkeys, OTP codes, SSH keys, and other passwordless credentials securely in their smartphone and seamlessly use them across all of their devices.
Media Contact:
Devin Finch
[email protected]
+1 855-ALL-1337
SOURCE Allthenticate
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE? 440k+Newsrooms &
Influencers 9k+
Digital Media
Outlets 270k+
Journalists
Opted In GET STARTED

Legal Disclaimer:
MENAFN provides the
information “as is” without warranty of any kind. We do not accept
any responsibility or liability for the accuracy, content, images,
videos, licenses, completeness, legality, or reliability of the information
contained in this article. If you have any complaints or copyright
issues related to this article, kindly contact the provider above.
Most popular stories
Market Research

- Daytrading Publishes New Study On The Dangers Of AI Tools Used By Traders
- New Silver Launches In California And Boston
- Digital Gold ($GOLD) Officially Launches On Solana, Hits $1.8M Market Cap On Day One
- Meme Coin Little Pepe Raises Above $24M In Presale With Over 39,000 Holders
- Bitmex And Tradingview Announce Trading Campaign, Offering 100,000 USDT In Rewards And More
- Your Bourse And B2BROKER Partner To Deliver Complete Brokerage Solutions
Comments
No comment