XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None
In a detailed technical analysis, Scott Helme exposes a critical flaw in passkey implementations that use attestation type 'none'. Passkeys rely on WebAuthn, where attestation verifies the authenticator's provenance. When set to 'none', the browser does not require any proof of the authenticator's identity, allowing attackers to inject malicious JavaScript via XSS to intercept passkey creation or authentication. Helme demonstrates a proof-of-concept where an XSS payload steals the passkey's credential ID and public key, enabling the attacker to register their own device as a valid authenticator. This completely undermines the security model of passkeys, which are supposed to be phishing-resistant. The article emphasizes that while passkeys are a significant improvement over passwords, improper configuration—specifically using attestation 'none'—leaves them vulnerable to the same class of attacks that plague traditional authentication. Helme recommends using attestation types like 'direct' or 'indirect' to ensure authenticator verification, and stresses the importance of robust XSS prevention as a foundational security measure.
XSS can nullify passkey security if attestation is not enforced, making proper configuration critical.