Partial Prevention
A passkey-only strategy is fundamental to preventing phishing attacks. However, given passkey challenges, relying parties (RPs) can start by implementing the Partial Prevention strategy for their high-risk users and features. This section outlines phishing attack patterns against RPs with passkeys deployed and proposes a targeted passkey-only strategy implementation to avoid security pitfalls and mitigate the adoption challenges.
RPs should implement the Partial Prevention stage security measures, or higher, if they are facing phishing threats. This is because the lower stages do not provide service-level phishing protection. While the Full Prevention stage offers complete phishing prevention by removing all phishable authentication methods, such a sudden transition could disrupt user access to critical applications. An abrupt change in authentication methods may frustrate users, damage trust, and lead to service abandonment. The Partial Prevention stage acts as a transition phase, balancing enhanced security by implementing passkey requirements while minimizing user disruption.
This document explains the transition method from the Optional Adoption stage to the Partial Prevention stage. Phishing vulnerabilities on passkey-deployed RPs discusses phishing attacks at these stages, demonstrating how phishing attacks are possible with a hybrid solution. Fundamental to prevent phishing attacks introduces a passkey-only strategy, to protect our services from phishing attacks. Determining the area of a passkey-only strategy presents Partial Prevention stage patterns, including enforcing passkey use for specific users and features.
Phishing vulnerabilities on passkey-deployed RPs
This section describes four passkey deployment cases with phishing vulnerabilities. Each deployment implements passkeys on its application. However, the phishing resistance of passkeys is not utilized as there are methods to bypass passkey authentication. Note that the root cause of these attacks is not passkeys themselves but rather issues with RP deployments.
Passwords as vulnerabilities to bypass passkey authentication
When RPs implement both passkeys and passwords as authentication methods, the passwords can undermine the security benefits of passkeys. Support of password-based authentication as a fallback mechanism helps users access services on devices without passkey capabilities, but it also creates an opportunity for attackers. Attackers can use phishing attacks to obtain passwords and then use these credentials to gain unauthorized access to user accounts. Mitigation strategies for this security concern are detailed in the Fundamental to prevent phishing attacks section of this document.
Unauthorized passkey registration in compromised accounts
When RPs implement passkeys but allow registration with phishable authentication methods, attackers can register passkeys on compromised accounts, enabling complete account takeover. For instance, consider an application that uses password authentication for general access but requires passkey authentication for high-risk operations such as external fund transfers. If the RP allows new passkey registration using only password authentication, attackers can exploit this vulnerability through a two-step process: first obtaining user credentials through phishing attacks to gain initial access, then registering their own passkeys to bypass the enhanced security measures for high-risk operations. Detailed mitigation strategies for this security risk are presented in the Applying a passkey-only strategy to specific features section of this document.
Exploit account recovery mechanisms to bypass passkey authentication
Account recovery processes based on weak authentication methods create potential security bypasses and undermine the strength of passkey authentication systems. Consider a security-conscious application that requires passkey authentication for account access, which addresses the vulnerabilities outlined in Passwords as vulnerabilities to bypass passkey authentication and Unauthorized passkey registration in compromised accounts. The application must provide account recovery mechanisms for users who lose access to their passkeys, but implementing recovery through email or SMS one-time passwords (OTPs) alone introduces significant vulnerabilities. Attackers can exploit this by targeting the recovery pathway rather than the primary authentication flow. By obtaining email addresses through phishing attacks and initiating account recovery, attackers can intercept OTPs through phishing, bypassing the passkey requirement. Mitigation strategies for this security concern are detailed in Fundamental to prevent phishing attacks of this document.
Social engineering attacks to downgrade account security level
One sophisticated phishing attack vector involves social engineering users deleting their registered passkeys, potentially leading to account compromise. Consider an application that has implemented robust security measures: required passkey authentication for login and phishing-resistant account recovery methods based on MNO’s network authentication, which addresses vulnerabilities described in Passwords as vulnerabilities to bypass passkey authentication,Unauthorized passkey registration in compromised accounts, and Exploit account recovery mechanisms to bypass passkey Authentication. This service is properly protected by passkeys. However, attackers can exploit user behavior through social engineering tactics to disable passkey-only strategy. These tactics typically involve presenting false technical error messages such as "Your environment doesn't support passkeys. Please enable password login before proceeding." Once users disable the option, accounts revert to a vulnerable state susceptible to traditional phishing attacks. The implementation of Full Prevention stage, as detailed in Full Prevention, provides mitigation strategies for this vulnerability.
Fundamental to prevent phishing attacks
To prevent phishing attacks, RPs must employ a passkey-only strategy that enforces the use of passkeys and eliminates passwords. The passkey journey described in the Overview introduction section explains that the Partial Prevention and Full Prevention stages are phishing-prevented stages, both satisfying passkey-only strategy requirements. As outlined in the Passwords as Vulnerabilities to Bypass Passkey Authentication section, allowing password-based logins alongside passkeys causes a vulnerability that attackers can exploit through phishing sites, bypassing the passkey authentication. Therefore, to protect user accounts from phishing attacks, RPs should require phishing-resistant authentication methods like passkeys, while discontinuing support for less secure, phishable alternatives.
The prohibition of phishable methods applies to both login and account recovery processes. If account recovery mechanisms remain vulnerable to phishing attacks, attackers can potentially bypass robust authentication controls through these weaknesses as outlined in the Exploit Account Recovery Mechanisms to Bypass Passkey Authentication section. Therefore, RPs that employ phishing-resistant methods across all authentication scenarios (login, fallback, and account recovery) are considered more resilient against phishing attacks than RPs that employ phishable methods for account recovery.
Determining the area of a passkey-only strategy
A passkey-only strategy might restrict account access for some users. Since passkeys are relatively new, authentication failures can be particularly challenging for users to troubleshoot. To mitigate issues, RPs can start by adopting a passkey-only strategy for their high-risk users and features that really need protection from phishing. The details of the challenges are described in the section Challenges of a passkey-only strategy.
Applying a passkey-only strategy to specific users
You can implement the Partial Prevention stage by enforcing passkeys for specific user groups. Applications can require a passkey-only strategy for specific users and other users can continue to access the service through traditional methods, like password authentication with SMS OTP.
The Partial Prevention stage has two approaches to choose from:
-
Enforce passkey use for all users who have registered passkeys This approach disables password authentication when a user registers a passkey. While this approach is simple to implement and directly links passkey registration to phishing protection, it may impact users who face challenges with passkey use across their various devices and platforms.
-
Provide an option to enforce passkey usage (an option to disable passwords) For this approach, passkey registration is a separate process from password disablement, allowing users to choose when to switch to passkey-only authentication. While this enables flexible passkey registration methods like conditional registration, RPs must promote both passkey registration and the passkey-only strategy to protect users from phishing attacks.
This strategy enables RPs to prioritize passkey adoption for appropriate user segments, such as users familiar with passkey technology or high-value accounts that face significant risks from phishing attacks. This approach achieves enhanced security while maintaining practical usability.