Passkeys Are Not Phishing-Proof: A New Attack Bypasses Passwordless Security

Although passkeys are promoted as a passwordless, phishing-resistant, and inherently secure authentication method, Proofpoint researchers warn that such protection can be bypassed with relative ease. Under certain conditions, an attacker can force a user to revert to an outdated and vulnerable form of authentication—effectively nullifying the benefits of the new technology.

The researchers stress that the presence of a passkey does not guarantee security if the account still allows login via traditional username and password. This very weakness underpins the technique that Proofpoint described and successfully reproduced in a controlled environment. For example, within the Microsoft Entra ID infrastructure, FIDO2 authentication support depends on a specific combination of operating system, browser, and client. Attempting to sign in to a Microsoft account via Safari on Windows or Firefox on Android, for instance, will render the passkey unusable—automatically triggering a fallback to alternative login methods.

It is precisely this inconsistency that attackers exploit. By spoofing the user-agent, a phishing site can simulate an unsupported environment, prompting the target system to offer a password-based login with or without two-factor authentication. The report highlights that even such a seemingly minor flaw can be leveraged in man-in-the-middle attacks, particularly when coupled with specialized frameworks.

To demonstrate, Proofpoint developed a phishing “phishlet” template—part of a phishing toolkit—that emulates the authentication flow, harvests credentials, and captures session cookies. The latter step is particularly critical: once the victim completes the spoofed authentication, the session token is in the attacker’s possession. By importing this token into a browser, the attacker can gain full access to the account without requiring a password or additional verification.

A typical attack begins with a malicious link—delivered via email, SMS, PDF, or disguised as an OAuth access request. Upon clicking, the victim is shown an error message encouraging them to choose an alternative sign-in method. In the case of Entra ID, the system presents several options; if the user selects any supported method, from one-time codes to authenticator apps, the attack succeeds, and the data is exfiltrated just as in a standard account takeover.

Although there is currently no evidence of this technique being used in active campaigns, the risk remains significant. While attackers often opt for easier targets, the very existence of a bypass for passkeys is viewed as a serious concern, warranting heightened awareness. And Microsoft is not alone—any authentication system that supports fallback login mechanisms remains vulnerable.