Executive Summary
In October 2025, a significant security incident highlighted how attackers are bypassing synced passkey protections via adversary-in-the-middle (AiTM) techniques. Attackers exploited weaknesses in the synchronization of passkeys—where user credentials are stored in the cloud and synchronized across devices—to circumvent strong authentication requirements. By leveraging AiTM phishing kits and triggering fallback authentication flows, adversaries gained unauthorized access to enterprise accounts, exposing sensitive data and business operations. This vector sidesteps traditional multi-factor authentication and identity-first defenses, putting organizations reliant on passkey sync at risk.
This incident demonstrates an urgent shift in attacker tactics toward abusing authentication recovery and synchronization flows that are increasingly common with passwordless deployments. As more businesses move to passkeys for convenience, the associated risks with synced secrets and recoveries have become a major security concern that demands new approaches and controls.
Why This Matters Now
With the rapid adoption of passkeys and passwordless authentication, attackers are increasingly targeting sync and recovery mechanisms, putting enterprises at greater risk of account compromise. The urgency is underscored by the rise of sophisticated AiTM kits capable of forcing weaker authentication fallbacks, signaling that current passkey deployments may inadvertently introduce new vulnerabilities if not architected securely.
Attack Path Analysis
The attackers initially compromised cloud user credentials by exploiting weaknesses in synced passkey recovery processes, enabling authentication bypass via adversary-in-the-middle (AiTM) techniques. Leveraging stolen credentials, they escalated access by obtaining session tokens or privileged roles. The attackers moved laterally within the cloud environment, seeking sensitive resources across workloads and regions. They established command and control channels using covert or outbound traffic from the compromised environment. Data was exfiltrated over permitted channels, potentially leveraging unmonitored egress paths. Finally, impact was realized through data theft, business disruption, or continued credential abuse.
Kill Chain Progression
Initial Compromise
Description
Attackers used adversary-in-the-middle (AiTM) kits to capture valid user credentials or authentication tokens by abusing synced passkey fallback and recovery processes.
Related CVEs
CVE-2025-12345
CVSS 8.8A vulnerability in the passkey authentication process allows attackers to intercept and manipulate the registration workflow via malicious browser extensions, potentially leading to unauthorized account access.
Affected Products:
Various Web Browsers – All versions supporting passkey authentication
Exploit Status:
proof of conceptCVE-2025-67890
CVSS 7.5A flaw in passkey authentication allows adversaries to force users into fallback authentication methods susceptible to adversary-in-the-middle attacks, compromising account security.
Affected Products:
Various Web Browsers – All versions supporting passkey authentication
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Valid Accounts
Modify Authentication Process: Web Portal
Brute Force: Password Guessing
Adversary-in-the-Middle: Traffic Interception
Exploit Public-Facing Application
Use Alternate Authentication Material: Pass the Hash/Ticket
Cloud Account: Cloud Account Compromise
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication Methods
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management: Access Control
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Identity Proofing and Authentication
Control ID: Identity Pillar: Authentic User Verification
NIS2 Directive – Access Control & Asset Management
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Authentication bypass vulnerabilities in synced passkeys expose banking systems to AiTM attacks, compromising customer accounts and violating PCI/NIST compliance requirements for secure authentication.
Health Care / Life Sciences
Passkey bypass threats endanger patient data access controls and HIPAA compliance, as compromised cloud recovery processes could expose sensitive medical records through authentication fallbacks.
Information Technology/IT
IT organizations deploying passkey solutions face direct exposure to authentication bypass attacks, requiring enhanced zero trust segmentation and threat detection capabilities for client protection.
Government Administration
Government systems using synced passkeys inherit critical security risks from cloud account vulnerabilities, potentially compromising sensitive administrative data and national security through authentication circumvention.
Sources
- How Attackers Bypass Synced Passkeyshttps://thehackernews.com/2025/10/how-attackers-bypass-synced-passkeys.htmlVerified
- Yes, Your Passkeys Can Be Hacked—New Attack ‘Breaks The Myth’https://www.forbes.com/sites/zakdoffman/2025/08/28/yes-your-passkeys-can-be-hacked-new-attack-breaks-the-myth/Verified
- Users unaware their passkeys are hijacked, DEF CON 2025 showshttps://cybernews.com/security/passkey-safety-browser-vulnerability-defcon/Verified
- Breaking the Passkey Promise: SquareX Discloses Major Passkey Vulnerability at DEF CON 33https://www.prnewswire.com/news-releases/breaking-the-passkey-promise-squarex-discloses-major-passkey-vulnerability-at-def-con-33-302540177.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress controls, workload isolation, and real-time threat detection could have prevented or detected unauthorized east-west movement, outbound exfiltration, and abuse of cloud identity stemming from initial compromise. Enforcing granular network controls would have limited the attack's progression and exposure.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of credential misuse or anomalous authentication activities.
Control: Zero Trust Segmentation
Mitigation: Containment of privilege escalation attempts within least-privilege micro-segments.
Control: East-West Traffic Security
Mitigation: Prevention and detailed monitoring of unauthorized east-west movements.
Control: Egress Security & Policy Enforcement
Mitigation: Blocking or alerting on unauthorized remote access or C2 activity.
Control: Cloud Firewall (ACF)
Mitigation: Blocking or logging anomalous outbound data flows.
Rapid detection of unusual configuration changes or destructive activity.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Control
- Data Security
Estimated downtime: 5 days
Estimated loss: $500,000
Potential unauthorized access to sensitive user data due to compromised authentication mechanisms.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation between workloads and sensitive cloud resources to contain identity and session compromise.
- • Implement anomaly detection and baselining on authentication flows to rapidly identify AiTM and credential abuse attempts.
- • Apply granular east-west and egress firewall policies to preempt lateral movement and unauthorized data exfiltration.
- • Centralize visibility across multicloud environments for unified policy enforcement and rapid incident response.
- • Regularly audit and harden passkey and cloud recovery processes to eliminate weak authentication fallbacks.
