Created a passkey? Hackers can bypass it using a simple downgrade attack

Published: 12 August 2025
passkeys
Image by Cybernews.

Passkeys are touted as a phishing-resistant and secure way to access accounts without entering usernames and passwords. However, Proofpoint security researchers warn that phishers can bypass this authentication method altogether and downgrade it to the older password-based authentication.

Users shouldn’t harbor illusions that their account is safer just because they’ve created a passkey. At least not while their old authentication methods still work.

Proofpoint researchers demonstrated how attackers can effortlessly side-step this authentication method.

ADVERTISEMENT

The problem is that cloud-based identity services, like Microsoft Entra ID, do not support passkey (FIDO2) authentication on all OS and browser combinations and other clients.

For example, a passkey will not work to access a Microsoft account when using Safari on Windows or Firefox on Android.

Therefore, attackers can use their existing phishing lures and just spoof an unsupported user agent, forcing the user into falling back to a less secure authentication method, like a password and multifactor authentication (MFA) combination, or no MFA at all.

“This seemingly insignificant gap in functionality can be leveraged by attackers,” Proofpoint said in a report.

“Using a dedicated phishlet, attackers could downgrade FIDO-based authentication to less secure methods, exposing targets to adversary-in-the-middle (AiTM) threats.”

To demonstrate this approach, the researchers successfully crafted a template for a phishing kit (phishlet) designed to extract user credentials and access accounts despite the use of passkeys.

Step by step: how does the attack work?

The potential attack would start like all other phishing attacks: with a phishing link delivered via email, PDF attachment, SMS, OAuth consent request, or any other communication channel.

ADVERTISEMENT

“Once the target falls for the phishing lure and clicks on the malicious URL, they are presented with an authentication error message, prompting them to select an alternative sign-in method,” Proofpoint explains.

microsoft-entra-id

If the victim chooses “other ways to sign in,” Microsoft’s authorization prompt will provide different options for signing in, and any other MFA method from the list would work.

microsoft-entra-id2

Once the victim completes the authentication using the spoofed interface, the hackers will obtain login credentials and session cookie, as they would in any other standard phishing attack.

“Finally, the attacker can hijack the authenticated session by importing the stolen session cookie into their own browser, thus granting them access to the victim’s account without having to insert any credentials or pass an MFA challenge,” the researchers warn.

Downgrade attacks can affect various other passkey implementations, not just Microsoft’s.

Up until the public disclosure, there have been no signs of hackers using this technique in the wild. Hackers often choose lower-effort alternatives and target users with weaker authentication methods. However, user accounts remain at risk, as this authentication downgrade is seen as a significant emerging threat.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT