- Navigators are the weak link that attackers now explode for control
- Squarex shows how trivial scripts can intercept and kidnap passkey flows
- From a user’s perspective, Passey’s false indications look completely genuine
For years, the change of passwords to Passkeys has been framed as the future of safe authentication.
When trusting pairs of cryptographic keys instead of weak or reused strings, Passkeeys promised to eliminate the risks that have long plagued the password systems.
However, in the recent Def event with 33, Squarex researchers presented new findings that challenge this opinion, claiming that the browsers themselves trust to administer Passkey’s workflows can be exploited in a way that avoids their protections.
The mechanics of raisins
Passkeys operate through a system where a private key remains on the device of a user, while the service provider stores a public key.
To log in, the user verifies the identity locally with biometry, a pin or a hardware token, and the authentic server the response against their stored public key.
This structure should eliminate many of the classical risks, such as phishing or brute force attacks, however, the entire process assumes that the browser serves as a reliable mediator, a role that Squarex researchers now argue that it is now dangerously fragile.
They showed how attackers can manipulate the navigator environment with malicious extensions or scripts, allowing them to intercept the registration flow, replace the keys and even deceive users to re -register in conditions controlled by attackers.
From the victim’s perspective, the login process seems indistinguishable from a legitimate access key, without warning signs that credentials are committing.
The established business security tools, whether they are final point protection or network defenses, do not provide visibility at this level of browser activity.
“Keeys are a highly reliable form of authentication, so when users see a biometric warning, they take it as a security signal,” said Squarex Shourya Pratap Singh Squad Squad.
“What they do not know is that attackers can easily pretend the records and authentication of Passkey to intercept Passkey’s workflow in the browser. This puts almost all business and consumption applications at risk, including critical data storage and data storage applications.”
With most business data now stored on SAAS platforms, rank rapid is quickly adopted as the predetermined authentication method.
Squarex’s findings suggest that this transition introduces a new dependence on browser safety, an area where supervision has been traditionally weak.
Passkeys can still represent progress beyond traditional credentials, however, the Squarex Researcg shows that no system is completely free of failures, and organizations may have moved too fast to adopt the truth as a universal solution.
How to stay safe
- Use a reliable antivirus to detect and block the hidden malicious code.
- Install extensions only from verified sources and check your permits regularly.
- Keep updated browsers to ensure that the latest safety corrections are applied.
- Use a password administrator to safely handle the inherited accounts that still depend on passwords.
- Combine login processes with an authenticator application to strengthen the verification steps.
- Regularly audit the browser configuration to minimize exposure to scripts or non -reliable accessories.
- Limit the number of devices used for sensitive session to reduce attack opportunities.
