Skip to content

Information Security News

  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Google
    • Android
  • Information Security
  • Linux
  • Malware
  • Microsoft
    • Windows
  • Open Source Tool
  • Vulnerability
  • Technology

Information Security News

  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Google
    • Android
  • Information Security
  • Linux
  • Malware
  • Microsoft
    • Windows
  • Open Source Tool
  • Vulnerability
  • Technology
  • Cybercriminals

Passkeys Are Not Phishing-Proof: A New Attack Bypasses Passwordless Security

by Nam Phong · August 14, 2025

Although passkeys are promoted as a passwordless, phishing-resistant, and inherently secure authentication method, Proofpoint researchers warn that such protection can be bypassed with relative ease. Under certain conditions, an attacker can force a user to revert to an outdated and vulnerable form of authentication—effectively nullifying the benefits of the new technology.

The researchers stress that the presence of a passkey does not guarantee security if the account still allows login via traditional username and password. This very weakness underpins the technique that Proofpoint described and successfully reproduced in a controlled environment. For example, within the Microsoft Entra ID infrastructure, FIDO2 authentication support depends on a specific combination of operating system, browser, and client. Attempting to sign in to a Microsoft account via Safari on Windows or Firefox on Android, for instance, will render the passkey unusable—automatically triggering a fallback to alternative login methods.

It is precisely this inconsistency that attackers exploit. By spoofing the user-agent, a phishing site can simulate an unsupported environment, prompting the target system to offer a password-based login with or without two-factor authentication. The report highlights that even such a seemingly minor flaw can be leveraged in man-in-the-middle attacks, particularly when coupled with specialized frameworks.

To demonstrate, Proofpoint developed a phishing “phishlet” template—part of a phishing toolkit—that emulates the authentication flow, harvests credentials, and captures session cookies. The latter step is particularly critical: once the victim completes the spoofed authentication, the session token is in the attacker’s possession. By importing this token into a browser, the attacker can gain full access to the account without requiring a password or additional verification.

A typical attack begins with a malicious link—delivered via email, SMS, PDF, or disguised as an OAuth access request. Upon clicking, the victim is shown an error message encouraging them to choose an alternative sign-in method. In the case of Entra ID, the system presents several options; if the user selects any supported method, from one-time codes to authenticator apps, the attack succeeds, and the data is exfiltrated just as in a standard account takeover.

Although there is currently no evidence of this technique being used in active campaigns, the risk remains significant. While attackers often opt for easier targets, the very existence of a bypass for passkeys is viewed as a serious concern, warranting heightened awareness. And Microsoft is not alone—any authentication system that supports fallback login mechanisms remains vulnerable.

Related coverage

  • NovaCookies Phishing Service Emerges as Sneaky2FA Successor
  • IRIS C2 Cybersecurity Startup Secretly Run by Fraudsters
  • UNK_MassTraction Hits University Roundcube Servers
  • UAT-7810 Router Attacks: Inside the LapDogs ORB Network
  • Kairos Data Extortion: $1M Cyber Crisis

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: Account TakeoverAuthenticationcybersecurityEntra IDhackingPasskeysphishingProofpointsecurity flaw

Follow:

  • Next story High-Severity Flaws Found in Matrix Protocol, Posing Risk to Government Communications
  • Previous story Whonix 17.4 Is Here: A New Era of Uncompromising Online Anonymity

  • Recent Posts
  • Popular Posts
  • Tags
  • GhostCommit AI vulnerability diagram illustrating prompt injection against AI coding assistants

    Vulnerability

    The GhostCommit Vulnerability: AI Assistants Weaponized via Images

    July 14, 2026

  • Critical Joomla extension vulnerabilities diagram, iCagenda and Balbooa Forms exploit overview

    Malware

    Critical Joomla Extension Vulnerabilities Actively Exploited

    July 14, 2026

  • Debian 13.6 point release updates with UEFI Secure Boot and Linux kernel patches

    Linux

    Debian 13.6 Released: Crucial Security and UEFI Fixes

    July 14, 2026

  • Interpol Operation First Light 2026 global fraud bust 5811 arrests 293 million dollars seized

    Cybercriminals

    Operation First Light 2026: 5,811 Arrested in Global Fraud Bust

    July 13, 2026

  • Ransomware negotiator Angelo Martino sentenced 70 months for betraying clients to BlackCat ALPHV

    Malware

    Ransomware Negotiator Sentenced for Betraying Clients to BlackCat

    July 13, 2026

  • Apache Camel vulnerabilities enabling server-side request forgery and authentication bypass in JMS and WebSocket connectors

    Vulnerability

    Apache Camel Patches Five High-Severity Vulnerabilities

    July 9, 2026

  • OpenSUSE Leap 15.4 Beta releases, Linux distributions

    Linux

    OpenSUSE Leap 15.4 Beta releases, Linux distributions

    May 30, 2020

  • Ubuntu 16.04.6 LTS released: fix security vulnerabilities

    Linux

    Ubuntu 16.04.6 LTS released: fix security vulnerabilities

    March 1, 2019

  • GhostBSD 23.10.1 released, FreeBSD distribution

    Linux

    GhostBSD 23.10.1 released, FreeBSD distribution

    May 1, 2020

  • Solus 4.4 Fortitude releases, Linux distribution

    Linux

    Solus 4.4 Fortitude releases, Linux distribution

    January 26, 2020

  • AI AI security Android Apple APT BOTNET China CISA cloud security cryptocurrency cyberattack cybercrime Cyber Espionage cybersecurity Cybersecurity 2026 data breach Github google hacking Infosec InfoSec 2026 Infostealer Linux Linux Kernel malware Microsoft network security open source Penetration Testing phishing privacy privilege escalation Prompt Injection ransomware RCE remote code execution security Social Engineering supply chain attack Tech News 2026 threat intelligence vulnerability windows Windows 11 zero-day
  • Home
  • About Us
  • Contact Us
  • DMCA NOTICE
  • Privacy Policy

Information Security News © 2026. All Rights Reserved.

Powered by  - Designed with Hueman Pro