HOUSTON, Aug. 12, 2025 /PRNewswire/ -- In Las Vegas this past weekend, researchers from Allthenticate demonstrated an effective phishing attack against "phishing-resistant" synced passkeys. The attack is executed by relaying input from a phishing website to log in to a local instance of the password manager (e.g., Chrome or Bitwarden). Once the attacker is logged into the password manager, they have complete control over the victim's passwords and passkeys. The passkeys, in this instance, are especially lethal since websites do not require a second factor when logging in – ultimately making passkeys even riskier than traditional passwords. To make matters worse, the attacker also has the ability to permanently lock the victim out of all their accounts by exporting and deleting the user's stored credentials. The team published all of their findings and analysis on www.yourpasskeyisweak.com.

"This is not a fundamental problem with FIDO2," said Dr. Chad Spensky, the lead researcher on the project. "Only 'synced' passkeys are putting users at risk. 'Device-bound' passkeys, which never leave the device they were created on, are in fact unphishable for all practical purposes." Chad stressed that "the original specification only supported device-bound keys and was only amended to support synced keys a few years ago. I don't think many users realize that this bait and switch happened and the associated risks that come with it."

Arshad Noor, CTO of StrongKey, emphasized that "a cardinal principle of public-key cryptography (PKC) has been to never give up control of one's private key … While we may crave convenience in many aspects of our lives, there is a line we must preserve if we wish to choose control over our independence and destiny." It is important that users are able to make informed, intelligent decisions about the risks that they are taking. Having clear indicators about the type of passkey being used (synced vs. device-bound) and the ability for service providers to restrict passkeys to device-bound only is critical for the future of passkeys and for our security as a society.

About Allthenticate

Allthenticate creates usable and secure authentication products. The Allthenticator app, an all-in-one authenticator, is free for personal use and lets users store "device-bound" passkeys, OTP codes, SSH keys, and other passwordless credentials securely in their smartphone and seamlessly use them across all of their devices.

Media Contact:

Devin Finch

devin@allthenticate.com

+1 855-ALL-1337

www.allthenticate.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/phishing-resistant-passkeys-shown-to-be-phishable-at-def-con-33-302527658.html

SOURCE Allthenticate