Digital Event Horizon
Researchers SquareX claim to have found a way to "pwn" passkey systems using a malicious browser extension, but security experts say this claim is based on a fundamental misunderstanding of security principles. Passkeys are still the best option for protecting against credential phishing and other attacks.
Passkeys are a core part of the FIDO specifications and use ES256 or other time-tested cryptographic algorithms. A unique key pair is generated for each website during registration, with the public key stored on the user's device and the private key on the authentication device. Pseudo-random strings are used to challenge the authentication device, which then signs the string using its private key. Passkeys provide a secure alternative to passwords, resistant to phishing, password reuse, and database breaches. The FIDO spec makes clear that passkeys don't protect against attacks on the operating system or browser. Passkeys haven't withstood decades of security research like traditional authentication methods; vulnerabilities may be discovered in the future.
Passkeys are a core part of the FIDO specifications drafted by the FIDO (Fast IDentity Online) Alliance, a coalition of hundreds of companies around the world. A passkey is a public-private cryptographic keypair that uses ES256 or one of several other time-tested cryptographic algorithms. During the registration process, a unique key pair is made for—and cryptographically bound to—each website the user enrolls. The website stores the public key. The private key remains solely on the user’s authentication device, which can be a smartphone, dedicated security key, or other device.
When the user logs in, the website sends the user a pseudo-random string of data. The authentication device then uses the private key bound to the website domain to cryptographically sign the challenge string. The browser then sends the signed challenge back to the website. The site then uses the user’s public key to verify that the challenge was signed by the private key. If the signature is valid, the user is logged in. The entire process is generally as quick, if not quicker, than logging in to the site with a password.
Passkeys provide an authentication alternative that’s by far the most resistant to date to the types of account takeovers that have vexed online services and their users for decades. Unlike passwords, passkey keypairs can’t be phished. If a user gets redirected to a fake Gmail page, the passkey won’t work since it’s bound to the real gmail.com domain. Passkeys can’t be divulged in phone calls or text messages sent by attackers masquerading as trusted IT personnel. They can’t be sniffed over the wire. They can’t be leaked in database breaches.
A fundamental misunderstanding of security is at play here, according to security experts. SquareX researchers claim that passkeys have been compromised because they found a way to hijack the passkey registration process. However, this claim is based on a lack of familiarity with the FIDO spec, flawed logic, and a fundamental misunderstanding of security in general.
The claim that Passkeys Pwned shows that passkeys can be stolen is flat-out wrong. If the targeted user has already registered a passkey for Gmail, that key will remain safely stored on the authenticator device. The attacker never comes close to stealing it. Using malware to hijack the registration process is something altogether different.
Furthermore, the research fails to take into account that the FIDO spec makes clear that passkeys provide no defense against attacks that rely on the operating system, or browser running on it, being compromised and hence aren't part of the FIDO threat model. Section 6 of the document lists specific “security assumptions” inherent in the passkeys trust model.
A separate security company made—and promptly withdrew—claims that it devised an attack that bypassed FIDO-based two-factor authentication. In fact, the sites that were attacked offered FIDO as only one means for 2FA, but also allowed other, less secure forms of 2FA. The attacks attacked those other forms, not the one specified by FIDO. Had the sites not allowed fallbacks to the weaker 2FA forms, the attack would have failed.
SquareX is right in saying that passkeys haven’t withstood decades of security research the way more traditional forms of authentication have. There very possibly will be vulnerabilities discovered in either the FIDO spec or various implementations of it. For now, though, passkeys remain the best defense against attacks relying on things like credential phishing, password reuse, and database breaches.
Related Information:
https://www.digitaleventhorizon.com/articles/Pwned-The-Misleading-Passkey-Vulnerability-Claim-deh.shtml
https://arstechnica.com/security/2025/08/new-research-claiming-passkeys-can-be-stolen-is-pure-nonsense/
https://research.kudelskisecurity.com/2024/03/14/passkeys-under-the-hood/
Published: Thu Aug 28 09:11:50 2025 by llama3.2 3B Q4_K_M
