Passkeys: Busting Major Cybersecurity Vulnerability Myths

Published Date : 9/2/2025 

Passkeys, the heralded replacement for passwords, are facing scrutiny from researchers who claim to have discovered a major vulnerability. However, cybersecurity experts argue that these claims are based on a flawed understanding of how passkeys work. 

Passkeys are the latest innovation in user authentication, promising greater security and convenience. Prominent supporters like Microsoft, Facebook, the UK government, Mastercard, Visa, and Amazon are backing this technology. However, recent claims of a major passkey vulnerability have sparked debate in the cybersecurity community.

Earlier this month at Defcon, researchers unveiled an attack called “Passkeys Pwned,” which they say exposes a critical flaw in the passkey authentication process. The method involves a malicious browser extension installed through social engineering. Once installed, the extension intercepts the creation of passkeys for services like Gmail, Microsoft 365, and other platforms that have adopted passwordless login.

The researchers claim that this method allows attackers to generate a cryptographic keypair linked to the legitimate domain, giving them access to sensitive data. They argue that this discovery breaks the myth that passkeys cannot be stolen, suggesting that passkey theft is as easy as traditional credential theft.

However, cybersecurity experts argue that this claim is based on a flawed understanding of passkeys. Passkeys are securely stored on an authenticator device, which the user registered, and cannot be stolen. Unlike traditional credential theft, a malware attack hijacks the passkey registration process. If a user already has a passkey set up, the malware triggers an error message, prompting the user to create a new passkey. If the user complies, the new key is controlled by the attacker, but no existing passkeys have been stolen.

Additionally, the FIDO specification, which underpins passkeys, does not guarantee immunity from attacks targeting the operating system or browser. Malware affecting a browser is beyond the scope of passkeys’ protections. Passkeys are designed to defend against common vulnerabilities like phishing, password reuse, database hacks, and simple password guessing. They also offer faster sign-ins, according to Microsoft research.

ArsTechnica spoke with SquareX lead developer Shourya Pratap Singh, who stood by the research. However, the publication noted that the research includes a commercial pitch for the SquareX platform. While passkeys are still relatively new, they represent a more secure replacement for passwords.

Earlier this year, a research paper from the University of Oslo evaluated device-bound versus synced passkey credentials. The study found that synced passkeys are less secure than device-bound ones. However, the security of passkeys varies widely depending on their implementation and usage. The researchers emphasized the need for strong authentication for passkey provider accounts, cautious use of credential-sharing, and secure storage of backups.

Keeper Security has introduced biometric passkey login support for FIDO2/WebAuthn in its Chrome and Edge browser extensions, as well as the Keeper Commander CLI. This update allows users to unlock their encrypted Keeper Vault using device-based credentials like fingerprint, face biometrics, or PIN, eliminating the need for passwords. The feature leverages Windows Hello on Windows 11 devices and Touch ID on macOS, ensuring that biometric information remains on the user’s device and is never transmitted to Keeper.

Security is shifting from passwords to stronger, more reliable methods, according to Craig Lurey, CTO and cofounder of Keeper Security. This update simplifies passwordless access for IT teams by enabling passkey creation, secure storage, and autofill across Keeper’s browser extensions, mobile and desktop vaults, and the open-source Keeper Commander CLI. 

Frequently Asked Questions (FAQS): 

Q: What are passkeys?

A: Passkeys are a new authentication method designed to replace passwords. They use cryptographic keys stored on a user's device to securely log in to services without the need for traditional passwords.

Q: What is the 'Passkeys Pwned' attack?

A: The 'Passkeys Pwned' attack is a method described by researchers that involves a malicious browser extension intercepting the creation of passkeys, allowing attackers to generate and control a new keypair for the legitimate domain.

Q: Are passkeys really secure?

A: Passkeys are considered more secure than traditional passwords because they are stored on the user's device and cannot be stolen. However, they are not immune to all types of attacks, such as those targeting the browser or operating system.

Q: What is the FIDO Alliance?

A: The FIDO Alliance is an industry association that develops open standards for strong authentication, including FIDO2 and WebAuthn, which are used to implement passkeys.

Q: How does Keeper Security support passkeys?

A: Keeper Security has introduced biometric passkey login support for FIDO2/WebAuthn in its browser extensions and CLI, allowing users to unlock their encrypted vault using device-based credentials like fingerprint, face biometrics, or PIN. 

More Related Topics :