Search papers, labs, and topics across Lattice.
This paper analyzes the security of FIDO2 passkeys against phishing attacks, focusing on both known and novel attack vectors. It implements and evaluates two specific attacks: the Infected Authenticator attack (generating attacker-controlled keys) and the Authenticator Deception attack (spoofing websites via CA store modification). The results show that while successful attacks are possible, they require significant attacker resources, confirming that passkeys offer substantially improved phishing resistance compared to passwords.
Passkeys aren't bulletproof, but successfully attacking them requires so much effort that they raise the bar for phishing by orders of magnitude.
Phishing attacks remain one of the most prevalent threats to online security, with the Anti-Phishing Working Group reporting over 890,000 attacks in Q3 2025 alone. Traditional password-based authentication is particularly vulnerable to such attacks, prompting the development of more secure alternatives. This paper examines passkeys, also known as FIDO2, which claim to provide phishing-resistant authentication through asymmetric cryptography. In this approach, a private key is stored on a user's device, the authenticator, while the server stores the corresponding public key. During authentication, the server generates a challenge that the user signs with the private key; the server then verifies the signature and establishes a session. We present passkey workflows and review state-of-the-art attack vectors from related work alongside newly identified approaches. Two attacks are implemented and evaluated: the Infected Authenticator attack, which generates attacker-known keys on a corrupted authenticator, and the Authenticator Deception attack, which spoofs a target website by modifying the browser's certificate authority store, installing a valid certificate, and intercepting user traffic. An attacker relays a legitimate challenge from the real server to a user, who signs it, allowing the attacker to authenticate as the victim. Our results demonstrate that successful attacks on passkeys require substantial effort and resources. The claim that passkeys are phishing-resistant largely holds true, significantly raising the bar compared to traditional password-based authentication.
