[cjcampbell]

One devious thing about this attack is that the phishing site doesn’t even need to impersonate the site it’s attacking. I have password based logins on hundreds of sites and it’s plausible that I’ll eventually have passkeys on enough sites that I can’t keep track.

Consider the airport attack. Rather than trick me to log with my social credentials, you could prompt me to sign up for a new account on hotspot.xyz. After I enter my email, tell me that the account exists and prompt to log in with passkey.

Now the attacker kicks off the connection targeting my Google credentials. Rather than a fake login screen, they present me with a QR code. From the user perspective, there’s nothing obvious to tell me this is a passkey flow with Google and so I wrongly assume that my passkey must be in my mobile keychain. I scan the QR code and get prompted to approve the login. If I read the block of text on my phone, I will see a mention of the RP (Google.com) but I’d guess most users aren’t looking that closely.

When all is said and done, my hotspot login attempt failed and I’m completely unaware that I just logged into Google on your behalf.