There has been recent press coverage on "Passkey Redaction Attacks" by Joe Stewart. It's an informative piece about how Attackers in the Middle (AitM) can manipulate the "login" screen to remove the option of using a Passkey. 

If the website offers a "backup" method of authentication, such as a secondary username and password, the user must use it.  The attacker can capture the username and password, but not the Passkey. The attack is simple: force the victim to take the least secure route and compromise their account that way.

At Key9, we have acknowledged that outdated authentication protocols pose a risk to passkeys.  

Imagine a scenario where a highly secure bank vault is protected by an off-the-shelf Walmart bike lock as a backup. The attacker will focus on attacking the Walmart bike lock instead of the expensive, highly secure locking mechanism.  It may be a "convenient backup" for the user, but it is a vulnerability to the entire system.

Joe Stewart’s work is an excellent example of how such attacks might unfold. However, the attacker needs to be "in the middle" of the session, making it challenging to execute against TLS sessions at scale.

We have envisioned a more direct approach that aligns with a traditional phishing campaign.

In this method, the attacker would register a domain name that is similar to the target domain. This can be achieved through standard domain squatting, omission, or replacement techniques. For instance, the attacker might create a domain name like "examples.com" to imitate "example.com." This slight alteration makes the domain appear legitimate at a casual glance.

Attackers have been using this technique for years.

The attacker's domain directs users to a fraudulent "login" page that is an exact replica of the target's actual login page. The main distinction is that when the user tries to use their Passkey, the attacker's website shows a bogus "error message" claiming that Passkeys are not available and that the user should instead use the less secure traditional username and password.

By compelling the user to take a less secure path with usernames and passwords, attackers can employ their typical phishing tactics.

The reason we avoid using legacy authentication protocols, such as usernames and passwords, is precisely because of these types of attacks. Key9 does not depend on weaker forms of authentication; instead, we solely rely on public key cryptography (Passkeys).

This makes our platform immune to these kinds of attacks.

It will take time and trust building, but continued reliance on passwords will become increasingly vulnerable. Passkeys and public key cryptography can only work if we abandon legacy weak authentication protocols.