Emerging Threats with Windows 11's Passkey Synchronization

Written by Memcyco Product VP, Arthur Zavalkovsky .

Microsoft is set to revolutionize authentication with the upcoming support for passkey synchronization across devices in Windows 11. This move towards a passwordless future promises enhanced security and convenience for users. However, as with any new technology, it introduces a range of potential threats that could be exploited by malicious actors.

What Are Passkeys?

Passkeys are a form of passwordless authentication that leverages public-key cryptography to provide secure and convenient access to online accounts and services. Unlike traditional passwords, which are often reused and vulnerable to phishing attacks, passkeys are unique to each user-device-service combination and are stored securely on the device.

How Do Passkeys Work?

When you register for a service using a passkey, your device generates a pair of cryptographic keys: a private key that stays on your device and a public key that is shared with the service. Authentication occurs when the service sends a challenge that your device signs using the private key, verifying your identity without transmitting sensitive information over the network. However, please, note that the need for a password is still there. Typically, the initial registration requires you to authenticate using a traditional password or another method to verify your identity before creating the passkey. Additionally, if your passkey for a service is lost—such as when you lose your device—you may need to use your password or another recovery method to regain access to your account.

Benefits of Passkeys

• Enhanced Security: Eliminates the risks associated with weak or reused passwords.
• User Convenience: Simplifies the login process by removing the need to remember complex passwords.

How Does Synchronization Work in Windows 11?

Windows 11 aims to sync these passkeys across all devices linked to a user's Microsoft account. This means that once a passkey is created on one device, it becomes available on all other devices signed in with the same account, streamlining the user experience.

However, while passkeys present significant security improvements compared to traditional passwords and major usability improvements, new and existing threats still need to be addressed.

Emerging Threats

1. Authentication Method Redaction Attacks

Description: Authentication Method Redaction (AMR) attacks involve cybercriminals manipulating the authentication process to bypass secure methods like passkeys. Attackers use Adversary-in-the-Middle (AitM) phishing techniques to alter the login interface, forcing users to revert to less secure authentication methods such as passwords.

How It Works:

1. AitM Phishing Techniques: Attackers set up a phishing website that closely mimics a legitimate login page.
2. Interface Manipulation: They modify HTML, CSS, JavaScript, or images to remove references to passkey authentication.
3. Forcing Traditional Authentication Methods: Users are tricked into entering credentials through traditional passwords, OTP, or other methods.
4. The attacker uses the user’s credentials to access the service.

Severity: High

• Impact: High potential for unauthorized access to sensitive accounts and data breaches.
• Prevalence: Increasingly common due to the availability of sophisticated phishing kits.
• Mitigation Difficulty: Challenging, as it requires user vigilance to detect subtle changes in login pages.

2. Recovery Key Vulnerabilities

Description: To access synced passkeys across devices, users must set up a recovery key. This introduces a new potential point of failure; if the recovery key is compromised, an attacker could access all synced passkeys.

How It Works:

1. Recovery Key Setup: Users generate a recovery key during passkey synchronization setup.
2. Insecure Storage Practices: Users might store the recovery key in unencrypted files, emails, or write it down in unsecured places.
3. Compromise and Exploitation: Attackers who obtain the recovery key can bypass other security measures.

Severity: High

• Impact: Full control over a user's accounts and data protected by passkeys.
• Prevalence: Dependent on user behavior; widespread if users are not educated on secure storage.
• Mitigation Difficulty: Requires users to adopt and maintain secure practices.

3. Cross-Device Contamination

Description: If one device is compromised, malware can gain access to all web services the user uses, even if they were not accessed from the given device. Malware on one device might be able to access or manipulate passkeys, affecting all synced devices. For example, accessing a website and resetting the passkey could lead to a domino effect of security breaches across a user's entire device ecosystem.

How It Works:

1. Device Compromise: Malware infects a device, gaining access to stored passkeys.
2. Malware changes the passkey of the services.
3. Propagation: The compromised passkeys are synchronized across all devices. The user will need to use credentials to access the service.

Severity: Medium

• Impact: Multiple devices and accounts can be compromised.
• Prevalence: Dependent on the prevalence of malware and the security posture of devices.
• Mitigation Difficulty: Requires consistent security measures across all devices.

4. Public Device Access Risks

Description: Passkey synchronization can lead to unintended access on public or shared devices. When users authenticate on these devices, they may inadvertently grant long-term access to their accounts if they forget to properly log out or delete their passkeys.

How It Works:

1. Emergency Use: A user needs to access their accounts from a public device (e.g., a hotel business center computer).
2. Passkey Synchronization: The user's passkeys sync to the public device for authentication.
3. Residual Access: If the user forgets to delete the passkeys, does not properly log out, or malware is installed on the public device, the device retains access to all user's accounts using passkey authentication.

Severity: High

• Impact: Unauthorized access to multiple accounts and sensitive information.
• Prevalence: Potentially common in travel scenarios or when using shared devices.
• Mitigation Difficulty: Requires user vigilance and proper logout procedures on public devices.

This threat highlights the need for clear user education on managing passkeys on shared or public devices and the importance of implementing automatic logout and passkey deletion features for non-personal devices.

5. User Behavior and Security Practices

Description: Users may become overly reliant on Microsoft's security measures, potentially neglecting other good security practices. This includes weak account passwords ( that must be defined and maintained as a fallback for when the user’s device cannot be used or when passkey access is disabled on the device), ignoring updates, and poor handling of personal security.

How It Works:

1. Weak Microsoft Account Passwords: Users might not use strong, unique passwords for their Microsoft accounts.
2. Neglecting Updates: Failure to install security updates leaves devices vulnerable.
3. Poor Security Hygiene: Not using MFA, reusing passwords, or falling for phishing scams.

Severity: High

• Impact: Can lead to full account and data compromise.
• Prevalence: Very common; human error remains a significant vulnerability.
• Mitigation Difficulty: Challenging, as it relies on changing user behavior.

Bottom Line

While passkeys offer significant improvements in authentication security, they are not a silver bullet. Undoubtedly, passkeys offer significant improvements in user experience. But, contrary to popular belief, passkeys aren’t infallible when it comes to phishing-related website impersonation fraud and related scams. Ultimately, enterprises rolling out passkeys must fortify their passkey defenses with AI-assisted solutions like Memcyco that deliver real-time website impersonation and customer account takeover (ATO) protection.

References:

1. https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks
2. https://www.howtogeek.com/windows-11-will-soon-sync-passkeys/