In the evolving landscape of digital authentication, passkeys have emerged as a promising alternative to traditional passwords, offering enhanced security and user convenience. However, the implementation of synced passkeys—credentials stored and synchronized across devices via cloud services—introduces significant security risks that organizations must carefully consider.
The Concept of Synced Passkeys
Passkeys are cryptographic credentials stored within authenticators, designed to facilitate secure, passwordless authentication. They can be categorized into two types:
1. Device-Bound Passkeys: These are stored exclusively on a single device, ensuring that the credential remains confined to that device.
2. Synced Passkeys: These are stored on a device but are also synchronized across multiple devices through cloud services such as iCloud or Google Cloud. This synchronization aims to enhance user convenience by allowing access across various devices.
While synced passkeys offer improved usability, especially in consumer contexts, they shift the trust boundary from the individual device to the cloud accounts and their associated recovery processes. This shift introduces several vulnerabilities that can have serious implications for enterprise security.
Risks Associated with Synced Passkeys
1. Cloud Account Compromise: The security of synced passkeys is inherently tied to the security of the cloud accounts that manage them. If an attacker gains control over a user’s cloud account, they can potentially access and replicate the passkeys onto unauthorized devices, thereby compromising the integrity of the credentials.
2. Cross-Account Synchronization: In scenarios where users are logged into personal cloud accounts on corporate devices, passkeys created on these devices could be inadvertently synchronized to personal accounts. This unintended synchronization extends the attack surface beyond the organization’s security perimeter, making it challenging to enforce enterprise security policies effectively.
3. Exploitation of Account Recovery Processes: Attackers can target account recovery mechanisms to authorize new devices, allowing them to replicate protected keychains onto untrusted devices. This method effectively bypasses the security measures intended to protect the passkeys, rendering them vulnerable to unauthorized access.
Authentication Downgrade Attacks
A notable vulnerability associated with synced passkeys is the potential for authentication downgrade attacks. In such attacks, adversaries exploit the fallback mechanisms of authentication systems to circumvent strong authentication methods.
For instance, researchers have documented scenarios where phishing proxies impersonate unsupported browsers, prompting identity providers to disable passkey authentication. Consequently, users are guided to use weaker authentication methods, such as SMS-based one-time passwords (OTPs). The attacker captures these credentials and session cookies, enabling unauthorized access to the user’s account.
This attack vector leverages the inconsistent support for WebAuthn (the underlying protocol for passkeys) across different operating systems and browsers. By exploiting these inconsistencies and the identity provider’s policies that allow weaker authentication methods for the sake of user experience, attackers can effectively bypass the security benefits of passkeys.
Browser-Based Vulnerabilities
The security of passkeys is also susceptible to threats originating from compromised browser environments. Malicious browser extensions or vulnerabilities within the browser can hijack WebAuthn requests, manipulate passkey registration or sign-in processes, and exploit autofill functionalities to leak credentials and one-time codes.
For example, compromised browser extensions can intercept WebAuthn calls, allowing attackers to manipulate the authentication process without breaking the cryptographic security of passkeys. They can initiate unauthorized registration processes, force users into password-based fallbacks, or silently complete authentication assertions, all without the user’s knowledge.
Recommendations for Enterprise Security
Given the identified risks, organizations should exercise caution when considering the deployment of synced passkeys. To enhance security, the following measures are recommended:
1. Prefer Device-Bound Passkeys: Utilize passkeys that are bound to specific hardware security keys. These device-bound passkeys offer higher assurance and better administrative control, as they are not susceptible to the vulnerabilities associated with cloud synchronization.
2. Restrict Cloud Account Integration: Implement policies that prevent the use of personal cloud accounts on corporate devices. This restriction minimizes the risk of unintended synchronization of passkeys to personal accounts, thereby reducing the attack surface.
3. Strengthen Account Recovery Processes: Enhance the security of account recovery mechanisms to prevent unauthorized device authorizations. This can include implementing multi-factor authentication (MFA) for recovery processes and monitoring for suspicious recovery attempts.
4. Monitor Browser Extensions: Establish strict controls over the installation and use of browser extensions within the organization. Regularly audit installed extensions for potential security risks and educate users about the dangers of unverified extensions.
5. Enforce Strong Authentication Policies: Configure identity providers to disallow weak authentication methods, even as fallbacks. Ensure that policies mandate the use of strong, phishing-resistant authentication methods to maintain a high security standard.
Conclusion
While passkeys represent a significant advancement in authentication technology, the implementation of synced passkeys introduces vulnerabilities that can be exploited by attackers. Organizations must carefully evaluate the security implications of using synced passkeys and consider adopting device-bound alternatives to maintain robust security postures. By understanding and mitigating these risks, enterprises can leverage the benefits of passkeys without compromising their security.
