An Analysis of Attack Vectors Against FIDO2 Authentication

TL;DR

This paper analyzes the security of FIDO2 passkeys, identifying attack vectors and demonstrating that while they are largely phishing-resistant, certain sophisticated attacks are possible with significant effort.

Contribution

It presents new attack methods against FIDO2 passkeys and evaluates their effectiveness, providing insights into their security robustness.

Findings

Successful attacks require substantial effort and resources.

Passkeys significantly raise the bar against phishing compared to passwords.

Two new attack approaches are implemented and tested.

Abstract

Phishing attacks remain one of the most prevalent threats to online security, with the Anti-Phishing Working Group reporting over 890,000 attacks in Q3 2025 alone. Traditional password-based authentication is particularly vulnerable to such attacks, prompting the development of more secure alternatives. This paper examines passkeys, also known as FIDO2, which claim to provide phishing-resistant authentication through asymmetric cryptography. In this approach, a private key is stored on a user's device, the authenticator, while the server stores the corresponding public key. During authentication, the server generates a challenge that the user signs with the private key; the server then verifies the signature and establishes a session. We present passkey workflows and review state-of-the-art attack vectors from related work alongside newly identified approaches. Two attacks are implemented and evaluated: the Infected Authenticator attack, which generates attacker-known keys on a corrupted authenticator, and the Authenticator Deception attack, which spoofs a target website by modifying the browser's certificate authority store, installing a valid certificate, and intercepting user traffic. An attacker relays a legitimate challenge from the real server to a user, who signs it, allowing the attacker to authenticate as the victim. Our results demonstrate that successful attacks on passkeys require substantial effort and resources. The claim that passkeys are phishing-resistant largely holds true, significantly raising the bar compared to traditional password-based authentication.