Was that a Passkey Breach?
- Jul 23
- 3 min read
No, but could this be a sign of what's ahead?
Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication using passkeys, the industry-wide standard being adopted by thousands of sites and enterprises. Further review of the attack path has shown that the bad actor did not bypass the passkey authentication but was successful in using a downgrade path to achieve their goal of accessing the user’s account.
While this review emphasises that passkeys remain a strong and secure method for MFA, it also highlights that not all authenticator types should be considered equal, and that software bound credentials and implementations (in this case the implementation of the passkey authentication standard) should never be completely trusted.
TL; DR
While smartphone-based passkeys improve user convenience, they compromise FIDO2’s foundational hardware-bound security model. In high-risk environments, only dedicated hardware authenticators like VeroCard can maintain cryptographic integrity, attestation trust, and robust phishing resistance.
What Happened in the Recent "Downgrade" Phishing Attack Using FIDO2 Cross-Device Sign-In?
In a recent report (mid‑2025), researchers at Expel observed a real-world phishing campaign by the group known as PoisonSeed, which exploited the cross-device sign-in feature in a clever adversary-in-the-middle attack:
Victims received a phishing email directing them to a counterfeit enterprise login portal.
After entering credentials, the phishing site relayed them in real-time to the legitimate site and triggered a cross-device sign-in request.
The legitimate site generated a QR code for authentication, which the phishing page immediately captured and displayed.
When the victim scanned the QR code with their phone, they unknowingly authenticated the attacker to the legitimate site.
While this manoeuvre downgrades FIDO2 authentication to a weaker flow and is not a breach of the Fido2 protocol, it uses the weakness of the downgraded process, facilitated using a smartphone based passkey, to obfuscate reality from the victim.
Why Using a Smartphone as a FIDO2 Authenticator Is Insecure
Using a smartphone as a FIDO2 authenticator introduces fundamental security trade-offs that break key FIDO2 security assumptions, fracture passkey provenance and can enable bad actors to run a downgrade attack on passkey authentication.
Passkeys created and stored on smartphones provides a convenience-security compromise that may be acceptable for consumers, but remains unsuitable for enterprise, critical infrastructure, or regulated environments. For these use cases, dedicated hardware authenticators like a VeroCard are the only way to maintain the original security promise of Fido2.
Breaking FIDO2’s Original Core Security Premise
Fido2 was designed with the principle that the private keys never left the security of the hardware authenticator. Driven by the consumer desire for convenience the Fido2 specification was revised to allow synchronisation of passkeys across cloud ecosystems so that users could easily access systems and sites using a single passkey.
When users sync passkeys across devices using cloud services (like iCloud Keychain or Google Password Manager), the baseline security of passkeys is violated:
The private credential is copied to multiple devices.
Security of passkeys is now dependent on cloud account protections, not local hardware.
If a cloud account is compromised, all passkeys are accessible remotely.
In some environments users can share passkeys with others – fracturing any assertion of passkey attestation.
This turns a local, hardware-bound credential into a cloud-distributed secret, significantly weakening the trust model.
How VeroCard Solves These Issues
VeroCard restores the original FIDO2 security promise by:
Hardware-Enforced Isolation
Private keys remain protected in hardware at all times.
Each key is device-bound and tied to the physical VeroCard hardware.
No Cloud Syncing
Eliminates risks from iCloud, Google account, or password manager compromise.
No cross-device duplication or migration of credentials.
Downgraded flows are not allowed:
VeroCard does not allow the user of QR code downgrades
A single user gesture, PIN entry, and subsequent passkey login provide a full MFA without the need for any other factors.
VeroGuard further enhances security by:
Requiring User Verification
VeroCard enforces user presence through PIN verification for every login.
PIN verification is completed by the VeroGuard Platform prior to allowing the passkey to be used
Requires explicit user interaction resulting in identity verification and impersonation resistance.
Origin Binding Enforced in Platform
VeroGuard verifies the relying party (domain) has been permitted for the user, and ensures credentials are domain-specific.
Centrally managing VeroCards:
Tracking and managing devices
Block use of and remove credentials
Block VeroCard if lost
Offering certified end to end process
Common criteria
PCI-PTS
Summary
Risk Area | Smartphone Passkeys | VeroCard |
|---|---|---|
Private key leaves device | ❌ Yes (via cloud sync) | ✅ No |
Cloud account attack risk | ❌ High | ✅ None |
Cross-device phishing exposure | ❌ Possible | ✅ Prevented |
True hardware-based isolation | ❌ Weak | ✅ Strong |
Enterprise-grade assurance | ❌ Lacks | ✅ Delivers |
Verified user presence | ❌ Optional or implicit | ✅ Required (and verified) every time |
Phishing/aitm resistance | ⚠️ Can be bypassed with cross-device flows | ✅ Guaranteed |
Hardware certification & standards | ⚠️ Some component level | ✅ EAL2+/PCI-PTS |
VeroGuard is Common Criteria EAL 2+ certified and VeroCard also holds PCI-PTS certification (standards for PIN security), along with FIDO2.
Comments