IT Brief India - Technology news for CIOs & IT decision-makers
India

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Realistic computer login screen shadowy figure hacking biometrics access
#
SaaS
#
Data Protection
#
Biometrics

Browser flaw exposes passkey authentication to hijacking risk

Today
Author image
By Jed Nykolle Harme, Editor

SquareX has disclosed a significant vulnerability affecting passkey-based authentication, potentially putting banking, shopping and enterprise SaaS accounts at risk.

Passkeys, regarded as a more secure alternative to traditional passwords, use cryptographic key pairs. The private key remains on the user's device, while the public key is hosted by the service provider. Authentication is conducted locally by the user utilising biometrics, a hardware key, or a PIN, with the public key on the server verifying the resulting signature. This method is designed to restrict access to pre-registered devices and specific websites, reducing the risks associated with password theft, reuse, or weakness.

Industry data from FIDO suggests that more than 15 billion accounts have enabled passkeys, with global adoption rates indicating that 69% of users have activated passkeys on at least one account. The fundamental promise of passkeys is to eliminate vulnerabilities connected to passwords. However, new research presented by SquareX indicates that this promise may be undermined by an overlooked vulnerability within browsers.

Browser intercept vulnerability

SquareX researchers Shourya Pratap Singh, Daniel Seetoh and Jonathan Lin have demonstrated that the security of passkey authentication depends on the assumption that the browser is "honest" and uncompromised. All communication between the authentication server and the user's device is conducted through the browser, making it a potential weak point.

Through the use of relatively simple scripts and potentially malicious browser extensions, attackers are able to intercept and manipulate the passkey registration process. This could allow them to gain account access without the user's biometric data or physical device. Attackers are also able to intentionally disrupt registered passkey logins, prompting users to re-register their credentials in a controlled environment, effectively granting attackers access.

"Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security. What they don't know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser. This puts pretty much every enterprise and consumer application, including critical banking and data storage apps at risk," says SquareX researcher Shourya Pratap Singh.

This risk is compounded by the limitations of conventional security solutions. Endpoint Detection and Response (EDR) and Security Service Edge (SSE) technologies do not offer the necessary visibility within the browser to detect these exploits. To the user, the entire attack process appears identical to a legitimate passkey authentication, with no visible or technical signals to differentiate between a genuine and a malicious authentication request.

Lack of visible indicators

Because of this, effective mitigation is dependent on monitoring and blocking malicious scripts and extensions within the browser environment. This lack of transparent indicators highlights a challenge for security teams charged with protecting sensitive data and services.

The growing reliance on software-as-a-service (SaaS) platforms for organisations adds further urgency, as more than 80% of enterprise data is now stored in SaaS applications. Passkeys have quickly become the de facto standard for accessing these environments.

Experiments by SquareX show that browsers are now the principal vulnerability point for passkey-based authentication systems. Attackers can exploit this weak spot to hijack authentication processes on critical platforms.

Vivek Ramachandran, the Founder of SquareX shares "SquareX has been actively researching new ways attackers exploit employees in the browser. Without a browser security layer, passkeys in isolation can be easily hijacked by attackers to gain unauthorized access to enterprise SaaS apps, where critical data is stored. This underscores the urgent need for Browser Detection and Response, an 'EDR in the browser', which SquareX has been pioneering."

With passkeys poised to become the industry's authentication gold standard, maintaining the security of browser environments is a priority for enterprises and service providers alike. Without visibility at the browser level, organisations remain susceptible to attacks that bypass current authentication protocols and could put sensitive business and personal information at risk.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Daon named leader in identity verification amid AI deepfake threats
IT leaders focus on ransomware & AI despite readiness gaps
Industry leaders mark International Women in Cyber Day with optimism
KnowBe4 launches free arcade-themed kit for Security Month
Acronis & Intel partner to deliver AI threat detection on PCs

Top stories

AI PCs to make up 31% of global shipments by end of 2025
Hexaware & Replit launch Vibe Coding to boost no-code AI apps
Akula Tech launches AI-powered Nexus-01 satellite with real-time data
DE-CIX achieves Google Gold status to bolster global connectivity
STAGE boosts customer support with SquadStack.ai’s multilingual AI