Phishing-Resistant Passkeys Shown To Be Phishable At DEF CON 33
HOUSTON, Aug. 12, 2025 /PRNewswire/ -- In Las Vegas this past weekend, researchers from Allthenticate demonstrated an effective phishing attack against "phishing-resistant" synced passkeys. The attack is executed by relaying input from a phishing website to log in to a local instance of the password manager (e.g., Chrome or Bitwarden). Once the attacker is logged into the password manager, they have complete control over the victim's passwords and passkeys. The passkeys, in this instance, are especially lethal since websites do not require a second factor when logging in – ultimately making passkeys even riskier than traditional passwords. To make matters worse, the attacker also has the ability to permanently lock the victim out of all their accounts by exporting and deleting the user's stored credentials. The team published all of their findings and analysis on .
"This is not a fundamental problem with FIDO2," said Dr. Chad Spensky, the lead researcher on the project. "Only 'synced' passkeys are putting users at risk. 'Device-bound' passkeys, which never leave the device they were created on, are in fact unphishable for all practical purposes." Chad stressed that "the original specification only supported device-bound keys and was only amended to support synced keys a few years ago. I don't think many users realize that this bait and switch happened and the associated risks that come with it."
Arshad Noor, CTO of StrongKey, emphasized that "a cardinal principle of public-key cryptography (PKC) has been to never give up control of one's private key ... While we may crave convenience in many aspects of our lives, there is a line we must preserve if we wish to choose control over our independence and destiny." It is important that users are able to make informed, intelligent decisions about the risks that they are taking. Having clear indicators about the type of passkey being used (synced vs. device-bound) and the ability for service providers to restrict passkeys to device-bound only is critical for the future of passkeys and for our security as a society.
About Allthenticate
Allthenticate creates usable and secure authentication products. The Allthenticator app, an all-in-one authenticator, is free for personal use and lets users store "device-bound" passkeys, OTP codes, SSH keys, and other passwordless credentials securely in their smartphone and seamlessly use them across all of their devices.
Media Contact:
Devin Finch
[email protected]
+1 855-ALL-1337
SOURCE Allthenticate
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE? 440k+Newsrooms &
Influencers 9k+
Digital Media
Outlets 270k+
Journalists
Opted In GET STARTED

Legal Disclaimer:
MENAFN provides the
information “as is” without warranty of any kind. We do not accept
any responsibility or liability for the accuracy, content, images,
videos, licenses, completeness, legality, or reliability of the information
contained in this article. If you have any complaints or copyright
issues related to this article, kindly contact the provider above.
Most popular stories
Market Research

- Invromining Expands Multi-Asset Mining Platform, Launches New AI-Driven Infrastructure
- Superconducting Materials Market Size, Trends, Global Industry Overview, Growth And Forecast 2025-2033
- United States Lubricants Market Growth Opportunities & Share Dynamics 20252033
- Building Automation System Market Size, Industry Overview, Latest Insights And Forecast 2025-2033
- Brazil Edtech Market Size, Share, Trends, And Forecast 2025-2033
- Australia Automotive Market Size, Share, Trends, Growth And Opportunity Analysis 2025-2033
Comments
No comment