The Perils of Passkeys

It seems like everyone loves Passkeys at the moment. In the past, usability and security often conflicted with each other. But now, the bright future is ahead with passkeys that combine both aspects perfectly!

And although I really like them and preach the advantages to our customers there are still some risks involved with using Passkeys that you have to keep in mind.

In the following blog post, i want to show you why just implementing Passkeys is not the universal solution to all problems, what challenges could arise and how you can potentially tackle them.

Implementation

CSRF Attacks

Cross-Site Request Forgery (CSRF) is an attack where an attacker tricks a user into submitting unintended requests to a web application where they are authenticated. In the context of passkeys, this could mean that an attacker attempts to register a new authentication method in the victim’s account to gain unauthorized access.

Since passkeys do not inherently protect against CSRF attacks, it is important that your application has mechanisms implemented to prevent this from happening. Implementing anti-CSRF tokens, validating the origin of requests, and using same-site cookies are some methods to mitigate CSRF attacks.

Missing Verifications and Checks

There are various checks that have to be performed by the relying party during passkey authentication:

• Signature Verification: Ensuring that the signature provided by the authenticator is valid.
• Origin Checks: Confirming that the authentication request originates from a trusted domain.
• Signature Counter Checks: Monitoring the signature counter to detect cloned authenticators.

While these checks are designed to prevent successful attacks, an incomplete or incorrect implementation could leave attack vectors open to adversaries. To ensure security:

• Follow Standards: Adhere strictly to the WebAuthn specification.
• Use Trusted Libraries: Utilize well-maintained and tested libraries for passkey implementation.
• Perform Security Audits: Regularly audit your implementation to identify and fix vulnerabilities.

Fortunately, you don’t have to implement passkeys into your application by yourself. You can use an external identity provider such as Microsoft Entra ID and let Microsoft take care of the proper implementation.

But does this mean you are secure if you are using Entra ID? Of course not!

Social Engineering

Phishing resistant != Social Engineering resistant

Is is important to note, that Passkeys are technically Phishing resistant. But that does not mean they are Social Engineering resistant in general. An attacker could still try to trick users into doing things that they shouldn’t do.
Still today, the only way to keep your users from doing dumb things is to conduct awareness trainings and tell them how to behave correctly.

Session Hijacking

If an attacker can steal a user’s session, they do not even have to authenticate with the application. Since it is becoming increasingly more difficult to gain initial access to an account by stealing credentials and bypassing other authentication methods like multi-factor authentication (MFA), attackers may focus on stealing user sessions instead.

Session hijacking is a well-known attack method, and with the rise of stronger authentication methods, attackers may try to avoid authentication entirely.

To address this:

• Zero Trust Principles: Adopt the principles of “Verify Explicitly” and “Assume Breach,” which require continuous verification of access to resources.
• Conditional Access: Use solutions like Microsoft Entra Conditional Access to create policies that can prevent session hijacking attacks.
• Session Management: Implement session timeouts and require re-authentication for sensitive operations.
• Monitoring and Alerts: Monitor for anomalous session activities and set up alerts for suspicious behavior.

Side-channel attacks

That is an issue that primarily hardware Passkeys (like Yubikeys) suffer from. Not long ago a Side-channel vulnerability for Yubikeys has been published, that makes it possible to clone these keys. Of course the probability of such an attack is pretty small, but nevertheless, you should bare this risk in mind when rolling out hardware Passkeys in very sensitive areas.

Authentication downgrade

Let’s say you are using a passkey for authentication with your account. While you are resistant to phishing and other attacks targeting weaker authentication methods, your account may still be vulnerable if it is allowed to authenticate using less secure methods, such as traditional passwords or less secure MFA options.

To prevent authentication downgrade attacks:

Policy Enforcement: Use identity management tools to enforce strict authentication policies across your organization.

Enforce Strong Authentication: Configure your systems to allow only passkey authentication for accounts that require the highest level of security.

Disable Weaker Methods: Deactivate traditional MFA and password-based authentication where possible.

Conclusion

As this blog post has shown, just implementing passkeys is unfortunately not the holy grail of security. However, they are one of the most secure authentication methods available today. Implementing passkeys is certainly a big step and can greatly improve your account security, but you have to keep an eye on certain risks that still exist with passkeys.

By being aware of these challenges and taking appropriate measures to address them, you can maximize the security benefits of passkeys while minimizing potential vulnerabilities.