- Browsers are the weak link that attackers now exploit for control
- SquareX shows how trivial scripts can intercept and hijack passkey flows
- From a user’s perspective, fake passkey prompts look entirely genuine
For years, the shift away from passwords toward passkeys has been framed as the future of secure authentication.
By relying on cryptographic key pairs instead of weak or reused strings, passkeys promised to remove the risks that have long plagued password systems.
However at the recent DEF CON 33 event, SquareX researchers presented new findings which challenge this view, claiming the very browsers relied upon to manage passkey workflows can be exploited in ways that bypass their protections.
The mechanics of passkeys
Passkeys operate through a system where a private key remains on a user’s device while a public key is stored by the service provider.
To log in, the user verifies identity locally with biometrics, a PIN, or a hardware token, and the server authenticates the response against its stored public key.
This structure should eliminate many of the classic risks, such as phishing or brute force attacks, yet the entire process assumes the browser serves as a trustworthy mediator, a role that SquareX researchers now argue is dangerously fragile.
They showed how attackers can manipulate the browser environment with malicious extensions or scripts, allowing them to intercept the registration flow, substitute keys, and even trick users into re-registering under attacker-controlled conditions.
From the victim’s perspective, the login process looks indistinguishable from a legitimate passkey operation, with no warning signs that credentials are being compromised.
Established enterprise security tools, whether endpoint protection or network defenses, do not provide visibility into this level of browser activity.
“Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security,” said SquareX researcher Shourya Pratap Singh.
“What they don’t know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser. This puts pretty much every enterprise and consumer application, including critical banking and data storage apps, at risk.”
With the majority of enterprise data now stored in SaaS platforms, passkeys are being rapidly adopted as the default authentication method.
SquareX’s findings suggest this transition introduces a new dependency on browser security, an area where oversight has traditionally been weak.
Passkeys may still represent progress beyond traditional credentials, yet the SquareX researcg shows no system is completely free from flaws, and organizations may have moved too quickly to embrace passkeys as a universal solution.
How to stay safe
- Use a trusted antivirus to detect and block hidden malicious code.
- Install extensions only from verified sources and review their permissions regularly.
- Keep browsers updated to ensure the latest security fixes are applied.
- Employ a password manager to securely handle legacy accounts that still rely on passwords.
- Pair sign-in processes with an authenticator app to strengthen verification steps.
- Regularly audit browser settings to minimize exposure to untrusted scripts or add-ons.
- Limit the number of devices used for sensitive logins to reduce attack opportunities.