Unpacking Passkeys Pwned: Possibly the most specious research in decades
Don't believe everything you read-especially when it's part of a marketing pitch designed to sell security services.
The latest example of the runaway hype that can come from such pitches is research published today by SquareX, a startup selling services for securing browsers and other client-side applications. It claims, without basis, to have found a major passkey vulnerability" that undermines the lofty security promises made by Apple, Google, Microsoft, and thousands of other companies that have enthusiastically embraced passkeys.
Ahoy, face-palm aheadPasskeys Pwned," the attack described in the research, was demonstrated earlier this month in a Defcon presentation. It relies on a malicious browser extension, installed in an earlier social engineering attack, that hijacks the process for creating a passkey for use on Gmail, Microsoft 365, or any of the other thousands of sites that now use the alternative form of authentication.