A new report out today from browser security company SquareX Ltd. reveals a critical flaw in passkeys, the widely promoted alternative to passwords, that could allow attackers to hijack accounts across banking, e-commerce and enterprise software-as-a-service applications.

Passkeys have been widely adopted in the past few years, with the FIDO Alliance estimating that there are now more than 15 billion passkey accounts enabled worldwide. The idea behind passkeys is that they replace passwords with cryptographic key pairs, binding authentication to a user’s device and removing the risks of reused or weak credentials.

Logging in using a passkey typically involves a biometric prompt, hardware token or PIN to access the private key stored locally, while the server verifies against a corresponding public key. The idea is to prevent phishing and brute-force attacks by eliminating shared secrets, but as revealed today by SquareX, they’re not as secure as they were designed to be.

The new research from SquareX details how the passkey promise depends heavily on the integrity of the browser. Because all communication between a device and the server flows through it, malicious extensions or injected scripts can intercept and alter the passkey process.

SquareX’s researchers have been able to demonstrate that through relatively trivial scripts and malicious browser extensions, attackers can forge registrations, bypassing biometrics entirely, or disrupt logins and trick users into re-registering under attacker control. From the user’s perspective, the workflow appears indistinguishable from a legitimate passkey flow, leaving no visual clues or detectable network anomalies.

“Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security,” explains SquareX researcher Shourya Pratap Singh. “What they don’t know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser. This puts pretty much every enterprise and consumer application, including critical banking and data storage apps at risk.”

Traditional endpoint and network defenses, such as endpoint detection and response and secure access service edge, lack visibility inside the browser, adding to the risk involved. The gap makes passkey exploits especially dangerous for enterprises that increasingly depend on SaaS platforms.

“SquareX has been actively researching new ways attackers exploit employees in the browser,” said Vivek Ramachandran, founder of SquareX. “Without a browser security layer, passkeys in isolation can be easily hijacked by attackers to gain unauthorized access to enterprise SaaS apps, where critical data is stored.”

SquareX is a venture capital-backed startup that has raised $26 million over two rounds, including a round of $20 million in April. Investors in the company include SYN Ventures and Peak XV Partners Management.

Image: SiliconANGLE/Reve