Passkey Phishing Defenses Consistently Bypassed in Red Team Assessments, Security Researcher Finds

A security researcher operating in phishing assessment engagements reports a troubling pattern: passkeys, widely promoted as phishing-resistant authentication, can be defeated with reliable regularity using a specific class of relay and injection techniques. The researcher, who conducts these assessments professionally, describes methods that exploit the way passkey authentication interacts with browser contexts and credential handling, enabling attackers to capture and replay authentication flows under controlled simulation conditions.

The core of the vulnerability lies not in the cryptographic strength of passkeys themselves, but in the implementation layers surrounding their deployment. When a user attempts to authenticate on a malicious or spoofed domain, certain passkey implementations fail to properly enforce origin validation or can be manipulated into delegating authentication to attacker-controlled interfaces. The researcher notes that these failures occur repeatedly across different environments, suggesting systemic gaps rather than isolated misconfigurations.

For organizations that have migrated or plan to migrate to passkey-based authentication under the assumption of robust phishing protection, the findings signal a need for deeper scrutiny. Security teams relying solely on passkey adoption as their anti-phishing strategy may be operating with false confidence. Experts recommend supplementing passkey deployments with domain verification controls, session monitoring, and red team testing specifically targeting authentication relay paths. The research underscores that authentication security remains a layered challenge—passkeys represent meaningful progress, but their promise of near-impenetrable phishing resistance may be overstated.