"Passkeys are credentials stored in an authenticator. Some are device-bound, others are synced across devices through consumer cloud services like iCloud and Google Cloud. Sync improves usability and recovery in low-security, consumer-facing scenarios, but shifts the trust boundary to cloud accounts and recovery workflows. The FIDO Alliance and Yubico, have both issued important advisories for enterprises to evaluate this split and to prefer device-bound options for higher assurance."
"Operationally, synced passkeys expand the attack surface in three ways: If a user is logged in on their corporate device with their personal Apple iCloud account, then passkeys created could be synced to their personal accounts; this dramatically explodes the attack surface beyond enterprise security boundaries. Help desk and account recovery become the real control points that attackers target because they can copy the same protected keychain onto a new, unknown, and untrusted device."
Synced passkeys store credentials in cloud-backed authenticators, shifting the trust boundary from local devices to consumer cloud accounts and recovery workflows. Cloud account takeover, recovery abuse, or mixing personal cloud accounts on corporate devices can authorize new devices and erode credential integrity. Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong authentication. Malicious or compromised browser extensions can hijack WebAuthn requests, manipulate passkey registration or sign-in, and drive autofill to leak credentials and one-time codes. Device-bound passkeys on hardware security keys offer higher assurance and stronger administrative control and should be mandatory for enterprise access.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]