SquareX Cybersecurity Firm Demos Alarming Browser-Based Passkey Attacks

Passkeys are just as vulnerable to browser-side attacks as more traditional forms of authentication, per SquareX. SquareX is a cybersecurity firm known best for its BDR ("Browser Detection and Response") enterprise security solutions, and has shown that attackers can manipulate the passkey setup and login processes through both script injection and malicious browser extensions. While passkeys normally require access to a physical device, the key to this attack vector is found within the setup process, which requires a browser as an intermediate between the user and service. If attackers can hijack this mandatory setup process through an unsecured browser using a plug-in or other add-on, this effectively results in the user handing the passkey to an attacker, allowing them to authenticate without the device that was just set up with a passkey.


This should serve as a "wake-up call" to the wider security community, since it means that passkeys can, in fact, be stolen without stealing or even hacking the authentication device on which the passkey is stored. If users do not secure their web browsers from third-party extensions and script injection, especially enterprise users operating at-scale, passkeys remain about as vulnerable as traditional authentication methods. Granted, passkeys still need compromised software to circumvent, unlike passwords which can and have been cracked by AI. SquareX advises both individuals and enterprise users to limit browser extensions to trusted sources and frequently review installed add-ons to minimize exposure, since otherwise-innocuous extensions can be hijacked after installation due to a cyber-attack or malicious purchase.

In light of the widespread adoption and encouragement of passkeys over passwords by Big Tech, this news is sure to turn some heads. As CySecurity.News notes in its coverage, more than 15 billion passkeys are already in use worldwide. If users remain on-point and secure their browsers properly, that's 15 billion examples of next-generation authentication at work. But knowing the cybersecurity landscape and how often even sensitive enterprises leave key machines and software unsecured, that number looks ominous in light of this news.