Passkey Login Bypassed via WebAuthn Process Manipulation - SecurityWeek
Why This Matters Now Visual Overview: sequenceDiagram participant User participant SPA as Single Page App participant AuthServer as Authorization Server SPA->>SPA: 1. Generate code_verifier & code_challenge SPA->>AuthServer: 2. Auth Request + code_challenge AuthServer->>User: 3. Login Page User->>AuthServer: 4. Authenticate AuthServer->>SPA: 5. Authorization Code SPA->>AuthServer: 6. Token Request + code_verifier AuthServer->>AuthServer: 7. Verify: SHA256(code_verifier) == code_challenge AuthServer->>SPA: 8. Access Token Last week, researchers at SquareX revealed a critical flaw in the passkey authentication mechanism, specifically targeting the WebAuthn protocol. This vulnerability could allow attackers to bypass passkey-based login security, even when strong authentication methods like Face ID are used. As passkeys are increasingly adopted by major tech companies, understanding and mitigating this risk is crucial. ...