Google Authenticator's Passkey Design May Enable New Attack Vectors
Severity: Medium (Score: 48.9)
Sources: Cybersecuritynews, Gbhackers
Summary
Google's passkey ecosystem, designed to enhance passwordless authentication, has been found to rely on a cloud-side component that could introduce new vulnerabilities. This architecture shifts the locus of 'passwordless trust' and may expose users to account takeover risks. While the system aims to eliminate traditional password theft, its implementation details reveal potential attack vectors that could be exploited by malicious actors. The focus on WebAuthn and FIDO specifications overlooks the practical implications of how these systems are deployed. As attackers target the implementation rather than the standards, the risk of exploitation increases. Users of Google Authenticator and related services are particularly affected, although specific numbers of impacted accounts have not been disclosed. The current status indicates a need for heightened scrutiny and potential reevaluation of security measures surrounding passwordless authentication. Key Points: • Google's passkey system relies on a cloud-side component that may introduce vulnerabilities. • The shift in 'passwordless trust' could lead to new avenues for account takeover. • Attackers focus on implementation flaws rather than adherence to standards.