Ethical Hacking News
Phishing Attack Tactics: How Attackers are Evading Passkey-Based Authentication
In recent times, attackers have been employing various tactics to evade the security measures put in place by organizations to protect their systems from phishing attacks. The threat posed by phishing attacks is exacerbated by the fact that many organizations have multiple possible entry points for their accounts. In this article, we will explore how attackers are using passkey-based authentication methods and what organizations can do to stay ahead of these threats.
Passkey-based authentication (passwordless authentication) is not a foolproof solution against phishing attacks.Attackers are using various tactics, including device code phishing, consent phishing, verification phishing, and app-specific password phishing, to evade security measures.Phishing attacks can exploit vulnerabilities in multiple entry points, such as local "ghost logins" and SSO coverage gaps.Device code phishing kits make up the vast majority of passkey-bypassing phishing attacks.Organizations must implement comprehensive identity attack detection and response capabilities to prevent and detect phishing attacks.Auditing app and identity sprawl can help identify vulnerabilities and reduce susceptibility to phishing attacks.
The advent of passkey-based authentication, also known as passwordless authentication, has been hailed as a game-changer in the fight against phishing attacks. The idea behind this technology is to replace traditional passwords with more secure and convenient methods of verification, such as biometric data or smart card tokens. However, despite its touted benefits, passkey-based authentication has not completely eradicated the threat of phishing attacks.
In recent times, attackers have been employing various tactics to evade the security measures put in place by organizations to protect their systems from phishing attacks. One of the most notable methods being used is device code phishing, which involves tricking users into visiting a webpage on a different device to enter a unique code that allows unauthorized access to their account.
Device code phishing operates under the assumption that many devices do not support passkey-based logins, making them more vulnerable to this type of attack. Attackers take advantage of alternative authentication flows for these devices by supplying users with a unique code and instructing them to visit a webpage in a browser on a different device to enter the code. This can be used to conduct phishing attacks against targets, convincing them to visit their authentication provider's website and enter a code supplied by the attacker, thereby granting access to their account.
Another technique being employed by attackers is consent phishing. OAuth allows users to grant third-party apps permission to access their data, which can be abused by adversaries who trick users into authorizing access for malicious OAuth apps. Consent phishing attacks involve sending phishing links to targets that request permissions to access sensitive data or perform dangerous actions. If the target grants consent for the permissions, the adversary gains extensive access over the target's account.
The attackers also use verification phishing to bypass multi-factor authentication (MFA) controls. Email verification is sometimes used as a control, such as when registering new accounts. This is typically implemented by emailing the target user with either a clickable link for them to verify or a verification code that they need to enter. Verification phishing involves using phishing or social engineering to convince a user to click on the verification link or pass the verification code in order to defeat this control.
Furthermore, attackers are also employing app-specific password phishing, which is a type of social engineering attack where an adversary tricks users into generating an "app-specific password" for their account and sharing it with the attacker. These legacy passwords are designed to allow older applications that do not support modern authentication methods like OAuth 2.0 to access account data.
The threat posed by phishing attacks is exacerbated by the fact that many organizations have multiple possible entry points for their accounts, including local "ghost logins" and SSO coverage gaps. This means that even if an organization has implemented passkey-based authentication, there are still vulnerabilities that can be exploited through other means.
In recent times, attackers have been exploiting device code phishing attacks to gain access to accounts without needing to use traditional phishing methods. Downgrade attacks using Attacker-in-the-Middle (AitM) phishing kits make up the vast majority of passkey-bypassing phishing attacks. These kits allow attackers to intercept the authenticated session created when a victim enters their password and completes an MFA check, thereby bypassing passkey-based authentication.
However, despite these challenges, researchers have identified a number of techniques that can be used to prevent and detect phishing attacks. Push Security's browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AitM phishing, credential stuffing, password spraying, and session hijacking using stolen session tokens.
Additionally, the organization's app and identity sprawl should be audited to identify vulnerabilities and implement measures to fix them. By doing so, organizations can reduce their susceptibility to phishing attacks and protect their users' sensitive information from falling into the wrong hands.
In conclusion, while passkey-based authentication has been hailed as a secure alternative to traditional passwords, it is not foolproof. Attackers are employing various tactics to evade the security measures put in place by organizations, including device code phishing, consent phishing, verification phishing, and app-specific password phishing. To stay ahead of these threats, organizations must implement comprehensive identity attack detection and response capabilities and audit their app and identity sprawl to identify vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Phishing-Attack-Tactics-How-Attackers-are-Evading-Passkey-Based-Authentication-ehn.shtml
https://www.bleepingcomputer.com/news/security/how-attackers-are-still-phishing-phishing-resistant-authentication/
Published: Tue Jul 29 10:15:37 2025 by llama3.2 3B Q4_K_M
