synced passkeys are stored in cloud-based password managers which are phishable.
device-bound passkeys never leave the hardware and are effectively unphishable.
Synced passkeys are putting you at more risk than passwords and a second factor
If stolen, an attacker can use your passkeys to log in to your accounts without any other factor and they can steal your keys so that you can never log back in.
Cloud-based password managers are single point of failure — a compromise of the cloud-provider is the end
Synced passkeys are only as secure as the password manager credentials, which are phishable
Using the same key on every device means there is no redundancy or ability to remediate a single device
To highlight the risk, we demonstrate phishing attacks against two popular synced passkey providers
The attacks are easy to deploy and can successfully phish all of the users passkeys and passwords, which can then be exported and deleted to take complete control of the victims accounts
Check out our DEFCON 33 talk for more details (video coming soon)
Device-bound passkeys – Keys are stored in the secure element (SE) of your phone and never leave. Nothing is synced to the cloud, exported, or stored on shared infrastructure.
Proximity-based authentication – Bluetooth LE challenge-response ensures access happens only when you’re physically present.
Multi-platform, no lock-in – Works across macOS, Windows, and Linux with native platform support
Rescue Missions – Secure decentralized backups of all of your keys using Shamir Secret Sharing (SSS) to backup your keys securely on the phones of your friends and loved ones
Free for personal use at download.allthenticate.com
Allthenticate
Smartphone-based passkey provider using device-bound keys stored in the secure hardware on the phone. The phone communicates over Bluetooth to paired computers to provide access to they keys across all of the user's devices without compromising security or usability.
Beyond Identity
Beyond Identity is enterprise identity provider that offers device-bound passkeys as well as other MFA and identity products.
HYPR
HYPR device-bound passkeys are a type of FIDO-based authentication credential designed specifically for enterprise environments, offering enhanced security and control over synced passkeys offered by platforms like Apple and Google.
OFFPAD
Phishing-resistant FIDO2 security key with fingerprint-based, user-friendly authentication.
Solokeys
Open-source hardware security keys supporting device-bound FIDO2 credentials. Prioritizes transparency and tamper-resistance in hardware-backed authentication.
Yubico (Yubikey)
FIDO2-certified hardware keys offering device-bound passkeys. Rated AAL3 by NIST, resistant to phishing, sync attacks, and physical compromise.
1Password
Syncs passkeys across devices for convenience, but this introduces risks of large-scale compromise tied to cloud storage and shared platform infrastructure.
Apple (iCloud Keychain)
Stores passkeys in iCloud and syncs across Apple devices. While secure by Apple’s standards, the architecture remains vulnerable to iCloud-based compromise and shared platform risk.
Bitwarden
Uses software-based passkeys stored in the cloud. While vault encryption is strong, synced credentials can still be exported or exploited if the cloud account is compromised.
Google Password Manager
Syncs credentials across Google services and devices, introducing attack surfaces tied to Google account takeover and centralized cloud storage.
LastPass
Relies on synced passkeys, leaving users exposed to threats like platform-wide breaches and unauthorized data sharing between cloud-linked devices.
Researchers showed how hackers could steal and reuse your passkeys by tampering with the browser itself — even making the login look completely normal. Their work highlights why passkeys aren’t foolproof and why extra protections are still needed.
Dan argues that synced passkeys are no better than passwords that "must" be stored in a password manager. Nicely articulating the exact attack that we demonstrated.
PoisonSeed demonstrates a QR-based phishing method that tricks users into approving FIDO2 logins without a security key.
This paper demonstrates how a Man-in-the-Middle attack can exploit the Client-to-Authenticator Protocol (CTAP) in passkey authentication, enabling an attacker to hijack a victim’s session via Bluetooth and gain account access. The findings underscore the need for stronger safeguards in future FIDO and WebAuthn implementations.
Tobia Righi reveals a vulnerability that allows passkey phishing via fido:/ URIs over Bluetooth, affecting mobile browsers.
This arXiv paper compares device-bound vs synced passkeys, highlighting how syncing can introduce phishing risks in FIDO2 systems.
Accenture’s Red Team shows how attackers can spoof Windows Hello for Business to bypass passwordless authentication.
Back in 2023 Lauren Weinstein was highlighting the attack shown here and sounding alarm bells. Here we are in 2025, with the same problem.