The article reveals a critical security vulnerability in passkey implementations where XSS (Cross-Site Scripting) can be exploited to register attacker-controlled passkeys, effectively creating persistent backdoors. This undermines the phishing-resistant benefits of passkeys and can lead to silent account takeovers. The author explains the technical details of the vulnerability and discusses potential defense mechanisms.
Background
Passkeys are a modern authentication method designed to replace passwords, using public-key cryptography for more secure and phishing-resistant logins. However, this article highlights how common web vulnerabilities like XSS can compromise their security model.
- Source
- Lobsters
- Published
- May 21, 2026 at 03:20 AM
- Score
- 8.0 / 10