- Browsers are the weak link that attackers now exploit for control
- Squarex shows how trivial scripts can intercept and divert flows
- From a user’s point of view, the false passing key prompts seem entirely authentic
For years, passing passwords to Passkeys has been formulated as the future of secure authentication.
By relying on pairs of cryptographic keys instead of weak or reused strings, Passkeys has promised to remove the risks that have long tormented password systems.
However, during the recent DEF Con 33 event, Squarex researchers presented new results that question this point of view, saying that the very guest browsers to manage the workflows of the key key can be exploited in order to bypass their protections.
Pass keys mechanics
Passkeys works via a system where a private key remains on a user’s device while a public key is stored by the service provider.
To connect, the user checks the identity locally with a biometrics, a pin or a material token, and the server authenticates the answer against his stored public key.
This structure should eliminate many of the classic risks, such as phishing or brute force attacks, but the whole process assumes that the browser serves as a trustworthy mediator, a role that Squarex researchers now affirm are dangerously fragile.
They showed how attackers can handle the browser environment with malicious extensions or scripts, allowing them to intercept the registration flow, replace keys and even encourage users to re -register in conditions controlled by the attacker.
From the victim’s point of view, the connection process seems indistinguishable from a legitimate operation of the key key, without warning sign that identification information is compromised.
The established corporate safety tools, whether it is the protection of terminals or the network defenses, do not provide visibility at this level of browser activity.
“Passkeys is a very reliable form of authentication, so when users see a biometric prompt, they take this as a security signal,” said Squarex researcher, Shourya Pratap Singh.
“What they do not know is that attackers can easily simulate registrations and authentication in passing key by intercepting the passkey workflow in the browser.
With the majority of corporate data now stored on SaaS platforms, Passkeys is quickly adopted as default authentication method.
Squarex’s results suggest that this transition introduces a new dependence on browser security, an area where surveillance is traditionally low.
Passkeys can always represent progress beyond traditional references, but the Squarex Researcg shows that no system is entirely free from defects, and organizations may have evolved too quickly to adopt pass keys as a universal solution.
How to stay safe
- Use a confidence antivirus to detect and block the hidden malicious code.
- Install extensions only from verified sources and regularly examine their authorizations.
- Keep browsers up to date to make sure that the latest security fixes are applied.
- Use a password manager to safely manage the inherited accounts that are always based on passwords.
- Pair of connection processes with an Authenticator application to strengthen the verification steps.
- Regularly audit The browser settings to minimize exposure to scripts or unreliable supplements.
- Limit the number of devices used for sensitive connections to reduce attack opportunities.
