Phishing attacks remain one of the most prevalent threats to online security, with the Anti-Phishing Working Group reporting over 890,000 attacks in Q3 2025 alone. Traditional password-based authentication is particularly vulnerable to such attacks, prompting the development of more secure alternatives. This paper examines passkeys, also known as FIDO2, which claim to provide phishing-resistant authentication through asymmetric cryptography. In this approach, a private key is stored on a user's device, the authenticator, while the server stores the corresponding public key. During authentication, the server generates a challenge that the user signs with the private key; the server then verifies the signature and establishes a session. We present passkey workflows and review state-of-the-art attack vectors from related work alongside newly identified approaches. Two attacks are implemented and evaluated: the Infected Authenticator attack, which generates attacker-known keys on a corrupted authenticator, and the Authenticator Deception attack, which spoofs a target website by modifying the browser's certificate authority store, installing a valid certificate, and intercepting user traffic. An attacker relays a legitimate challenge from the real server to a user, who signs it, allowing the attacker to authenticate as the victim. Our results demonstrate that successful attacks on passkeys require substantial effort and resources. The claim that passkeys are phishing-resistant largely holds true, significantly raising the bar compared to traditional password-based authentication.

翻译：网络钓鱼攻击仍然是线上安全中最普遍的威胁之一，反网络钓鱼工作组报告称，仅2025年第三季度就发生了超过89万起攻击。传统的基于密码的认证特别容易受到此类攻击，这促使了更安全替代方案的开发。本文研究了通行密钥（即FIDO2），它声称通过非对称加密提供抗网络钓鱼的认证。在该方法中，私钥存储在用户设备（即认证器）上，而服务器存储相应的公钥。在认证过程中，服务器生成一个挑战，用户使用私钥对其进行签名；随后服务器验证签名并建立会话。我们介绍了通行密钥的工作流程，并综述了来自相关研究的最新攻击向量以及新发现的方法。我们实施并评估了两种攻击：受感染认证器攻击（在受损认证器上生成攻击者已知的密钥）和认证器欺骗攻击（通过修改浏览器的证书颁发机构存储、安装有效证书并拦截用户流量来伪造目标网站）。攻击者将来自真实服务器的合法挑战中继给用户，用户对其进行签名，从而使攻击者能够以受害者的身份进行认证。我们的结果表明，对通行密钥的成功攻击需要大量的努力和资源。通行密钥具有抗网络钓鱼性的主张基本上成立，与传统的基于密码的认证相比，这显著提高了攻击门槛。