While passkey authentication is a highly secure method of authentication and is increasingly being offered as a solution to the eternal username/password authentication insecurity problem, there appears to be an overlooked weakness in the passkey method that lies in the user interface that users use to authenticate with services.

Researchers have found that by injecting themselves between the service and the user, such as by injecting code into the web page used for login, an attacker could cause passkey authentication to be bypassed for less secure methods. This attack takes advantage of the fact that services usually provide multiple methods of authentication as well as methods for account recovery in case keys are lost.

By injecting code into the authentication page the attacker could redact the login page so that users no longer see any option for using passkeys. They may then be forced into choosing a less secure method. Alternatively, an attacker can use scripting to automatically click on other login methods before the user even gets to see or choose the passkey method.

These methods have been shown to work on sites owned by Microsoft and Github, and many other sites offering passkey authentication are likely susceptible to the same attack method. The researchers provide some recommendations but they all have their own drawbacks.