Your Passkey is Weak: Phishing the Unphishable
Chad Spensky, Ph D
DEF CON 33 · Day 1 · Main Stage
In a revealing and impactful presentation at DEF CON, Chad Spensky, Ph D, delivered a critical analysis of the current state of **passkeys**, challenging the prevailing industry narrative that they are inherently "unphishable." Titled "Your Passkey is Weak: Phishing the Unphishable," Spensky meticulously demonstrated how the widespread adoption of **synced passkeys** – a convenience feature introduced by major tech companies like Google and Apple – fundamentally undermines the security guarantees originally envisioned by the FIDO Alliance. This talk is crucial for anyone involved in cybersecurity, from individual users to enterprise CISOs, as it exposes a significant vulnerability that could lead to widespread account compromise, despite the industry's push towards a passwordless future.
AI review
Spensky does real work here — he picks apart the FIDO2 bait-and-switch with live demos against Google and Bitwarden, showing that synced passkeys inherit exactly the phishability passkeys were supposed to kill. The attack chain (phish the password manager, emulate keystrokes server-side, exfiltrate via LevelDB or Bitwarden's export, replay on attacker-controlled Chrome) is concrete, reproducible, and publicly released. Minor drag is that the core insight — 'synced keys are only as strong as the sync mechanism' — is something sharp practitioners already suspected; the value is in the rigorous…