A recent Ars Technica analysis questions SquareX’s Defcon-published claims that passkeys can be stolen, arguing the study leans into hype rather than a proven vulnerability.
The research describes “Passkeys Pwned” as a browser-extension attack that hijacks the registration flow, binding a malware-generated keypair to a legitimate domain such as gmail.com, potentially granting attackers access to cloud apps.
Security experts say the attack relies on endpoint compromise or social engineering, and does not reveal a flaw in passkeys themselves, whose private keys remain on the user’s device under the FIDO/WebAuthn model.
Critics, including security engineer Kenn White, have characterized the report as a dubious marketing pitch; Ars Technica’s Dan Goodin notes that passkeys remain highly resistant to phishing when endpoints are secured.
Overall, passkeys offer strong defense against credential theft, but researchers warn that client-side risks must be part of any security evaluation as technology evolves, and that public debates should distinguish proof-of-concept demonstrations from foundational vulnerabilities.
