Full Report
TLDR Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys. Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure. Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong
Analysis Summary
This summary focuses on the security implications of using synced passkeys as described in the provided text. Since the source material discusses architectural weaknesses and observed attack patterns rather than a specific, patched CVE for a single product, the CVE section will reflect this general nature.
# Vulnerability: Risks Introduced by Synced Passkeys and Downgrade Attacks
## CVE Details
- CVE ID: N/A (Architectural risk discussion, not a specific CVE)
- CVSS Score: N/A
- CWE: Depends on specific vectors (e.g., CWE-287: Improper Authentication, CWE-613: Insufficient Session Expiration - relevant to downgrade capture)
## Affected Systems
- Products: Systems utilizing FIDO Passkeys, specifically relying on **Synced Passkeys** through cloud services (e.g., iCloud, Google Cloud).
- Versions: Applicable to any deployment where user experience prioritizes synced passkeys over device-bound options.
- Configurations: Environments where Identity Providers (IdPs) allow users to downgrade authentication methods (e.g., fall back from WebAuthn/Passkeys to SMS/OTP).
## Vulnerability Description
The primary risk lies in deploying **synced passkeys**, which shift the trust boundary to the underlying cloud account (e.g., Apple iCloud) protecting the passkey credential store. Compromise of the cloud account or abuse of its recovery process can lead to the sharing of passkeys onto untrusted devices.
Additionally, two major exploitation vectors are highlighted:
1. **Authentication Downgrade Attacks (AiTM):** Attackers use Adversary-in-the-Middle (AiTM) kits to impersonate browsers with poor passkey support (e.g., Safari on Windows). This forces the Identity Provider (IdP) to disable the WebAuthn ceremony, steering the user toward weaker methods like SMS or OTP, which the attacker can capture along with the resulting session cookie.
2. **Browser Extension Manipulation:** Malicious or compromised browser extensions can hijack or manipulate WebAuthn requests during registration or sign-in processes, potentially leaking credentials or OTPs via autofill manipulation.
## Exploitation
- Status: **Exploited in the wild** (Downgrade attacks documented against Microsoft Entra ID)
- Complexity: **Medium** (Requires sophisticated phishing infrastructure for downgrade attacks, but successful compromise leads directly to account access.)
- Attack Vector: **Network** (For AiTM phishing)
## Impact
- Confidentiality: **High** (Session cookies, potential credential leakage)
- Integrity: **High** (Unauthorized account modification via successful authentication)
- Availability: **Low to Medium** (Primarily targets access, not service shutdown)
## Remediation
### Patches
* No specific vendor patches are listed, as the issue relates to architectural risk and implementation details. The recommended solution is a change in deployment strategy.
### Workarounds
* **Prefer Device-Bound Passkeys:** Organizations should prioritize the use of device-bound passkeys stored in hardware security keys (e.g., FIDO hardware tokens) for enterprise access, as these are not subject to cloud syncing risks.
* **Harden Cloud Account Recovery:** Strengthen security around the cloud accounts used to sync credentials (e.g., enabling strong MFA on the cloud provider account itself).
* **Restrict Downgrades:** IdPs should be configured to **never** allow fallback to weaker authentication methods (like SMS/OTP) if a WebAuthn/Passkey attempt fails or is bypassed via user-agent spoofing.
* **Utilize WebAuthn Immediate Mediation:** Implement controls on the relying party side to ensure WebAuthn ceremonies are strictly enforced where passkeys are expected, if possible (referencing W3C's 'Immediate Mediation' explainer).
## Detection
- **Indicators of Compromise:** Successful login via methods (SMS/OTP) immediately following a failed or bypassed passkey challenge attempt. Monitoring for session cookie imports.
- **Detection Methods and Tools:** Monitoring IdP logs for unusual fallbacks in authentication policy steering. Using security tools capable of inspecting detailed WebAuthn protocol flows for manipulation signatures.
## References
- Vendor Advisories: FIDO Alliance and Yubico have issued advisories encouraging enterprises to prefer device-bound keys.
- Relevant Links:
- proofpoint-com/us/blog/threat-insight/dont-phish-let-me-down-fido-authentication-downgrade
- yubico-com/blog/passkeys-are-winning-but-security-leaders-must-raise-the-bar/
- github-com/w3c/webauthn/wiki/Explainer%3A-WebAuthn-immediate-mediation