Passkeys were supposed to kill the password for good, but a new vulnerability revealed at DEF CON 2025 has shown the “golden solution” might have cracks of its own.
Passwords are the internet’s weakest link. That’s why passkeys have been pushed as a golden solution, with tech companies hailing them as the end of phishing and brute-force attacks.
Passkeys allow users to authenticate with biometrics or a hardware key. The technology works by using a private key stored on the device and a public key kept on a web server.
When a user logs in, they prove their identity with a PIN, face scan, or fingerprint on their device. The private key is compared to the public key stored on the web. This setup ties user login to a specific device and site, making it much harder for hackers to steal or reuse credentials.
However, the technology is not without flaws. At DEF CON 2025, researchers from SquareX revealed a vulnerability that could undermine the entire system, showing that browsers can be manipulated to intercept or forge the authentication process.
Attackers can exploit passkeys
Researchers Shourya Pratap Singh, Daniel Seetoh, and Jonathan Lin demonstrated how malicious browser extensions or injected scripts can trick the passkey workflow.
Attackers can register fake keys, bypass biometric checks, or force users to re-register their passkeys under an attacker-controlled environment. In practice, this means that threat actors would have unauthorized access to bank accounts, SaaS platforms, and cloud services.
“Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security,” says SquareX researcher Shourya Pratap Singh.
“What they don’t know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser,”
explains the researcher.
The problem isn’t the cryptography, which remains intact. It’s the assumption that the browser itself is trustworthy, researchers believe.
According to SquareX, current security tools, including endpoint detection and response (EDR) and SASE platforms, lack visibility into the browser to catch these attacks. From a user’s perspective, the exploit looks identical to a legitimate login flow.
Massive passkey adoption
The vulnerability disclosure comes as passkeys are gaining rapid adoption. The FIDO Alliance, which consists of government agencies, businesses, and tech companies, including IBM, Apple, Amazon, Microsoft, PayPal, and many others, has reported more than 15 billion accounts enabled.
In May, Microsoft launched passkeys, enabling users to drop passwords to access the company’s accounts. According to Microsoft, users can create a passkey on their devices and use their face, fingerprint, PIN, or security key as a means of identification.
In 2023, Google started rolling out passkey support across Google Accounts on all major platforms as an additional option for users to sign in, alongside passwords and 2-Step Verification. The same year, the Meta-owned chat app Whatsapp rolled out passkeys to access the application on Android devices.
Your email address will not be published. Required fields are markedmarked