WebAuthn and Passkey Attacks: How to Bypass Biometrics Without a Physical Device

[Good Carder]

From a carder to carders. Do you think Passkeys are an impenetrable shield? That biometrics and hardware pairing with the Secure Enclave make your accounts impenetrable? Naive. Passkeys do indeed defeat classic phishing. But they have created new attacks that are not mentioned in the advertising brochures.

In 2027, WebAuthn and CTAP2.1 are not magic. They are protocols with design flaws, vulnerable implementations, and, most importantly, human error. In this article, I will analyze real ways to bypass Passkey authentication without physical access to the victim's device. From FIDO2 token emulation to MITM proxying, from downgrade attacks to extracting session tokens after a successful login. No advertising nonsense — just what actually works in combat.

Part 1. Passkeys 2027: What it protects (and what it doesn't)​

Passkeys are FIDO2/WebAuthn. The victim's device generates a key pair: the private key is tightly bound to secure storage (Secure Enclave on iOS/macOS, TPM on Windows, Trusted Execution Environment (TEE) on Android), and the public key is sent to the server. Upon login, the server sends a challenge — random data that the device signs with the private key. Furthermore, the protocol is built-in to the domain (origin), which formally prevents phishing: the signature will not work for another site.

This is intended to defeat classic phishing: it is impossible to steal a passkey remotely, nor to replace the signature. Passkeys will truly become the standard in 2026–2027, but any protection has its weaknesses.

The key limitations that created loopholes for attacks are:

• Session tokens remain. Passkeys only protect login. Once a user logs in, the server issues them a bearer token or session cookie. Steal this token, and you're in, even without a passkey.
• Cloud syncing. Passkeys are synced across devices via iCloud Keychain, Google Password Manager, and Microsoft Account. This is convenient — and terrible from a security standpoint. Whoever hacks iCloud gets all your passkeys.
• Authentication "backup routes." Almost all sites that use passkeys leave the option to "log in with a password" or "send a code via SMS." Once you find a way to force the victim to use this option, the passkey is useless.
• Roaming authorizers. Keys can be used from a smartphone on a laptop via Bluetooth/USB. By intercepting this channel (via a MITM proxy at the communication protocol level), you can intercept the signature and use it for your login.

Part 2. Vulnerability Card: CVEs, Design Defects, and Real-World Exploits​

2.1. CVE-2025-12150: Attestation Policy Forgery in Keycloak​

A vulnerability in Keycloak's WebAuthn registration component allowed an attacker to bypass the configured attestation policy and register an unverified, fake authorizer by sending an attestation object with the fmt: "none" type, even when the system required direct attestation. This facilitated the injection of fake keys.

2.2. CVE-2026-37982: Auth Token Replay in Keycloak​

A vulnerability allows a remote attacker to replay ExecuteActionsActionTokens in a WebAuthn stream. By intercepting the action execution email link, the attacker can register their hardware key and gain persistent access to the account. WebAuthn was not resistant to replay attacks if the relying party incorrectly validated the origin.

2.3. CVE-2025-11984: GitLab 2FA Bypass via Session Manipulation​

A vulnerability in GitLab allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating session state. Under certain conditions, this required low privileges and complex conditions. But the main lesson: even large platforms make mistakes in implementation.

2.4. CVE-2025-66558: 2FA Device Theft via Missing Ownership Verification​

A vulnerability in the Nextcloud Twofactor WebAuthn app allowed a remote attacker to "hijack" a 2FA device due to a lack of ownership verification. Without ownership verification, a drop is unnecessary—someone else's key can be used to lock someone else's door.

2.5. CTAP2.1 Design Defects: Unauthenticated Client and Trackable Credentials​

Researchers have identified eight vulnerabilities in the CTAP specification, which they dubbed CTRAPS (CTAP Client Impersonation and API Confusion on FIDO2). Six of these are new and include unauthenticated CTAP clients, trackable FIDO2 credentials, and the ability to reset an authorizer without user verification.

The most dangerous for carders are:

• Lack of client authentication. The protocol does not require the client to prove its identity. By faking the client, one can communicate directly with the authorizer.
• No User Verification check when calling Reset. It's possible to perform a factory reset of the authorizer without verifying your identity.

2.6. SlowMist: WebAuthn downgrade attack​

SlowMist CISO 23pds described a method for bypassing WebAuthn logins by forcing downgrades to passwords or SMS. The attack doesn't require physical access to the device, only an XSS vulnerability on the website or a malicious extension in the victim's browser. Essentially, you don't crack the passkey; you force the victim to use an alternative, weaker login method.

2.7. BitM+: Advanced MITM vs. FIDO2/CTAP​

BitM (Browser-in-the-Middle) is an advanced MITM attack capable of bypassing FIDO2 and WebAuthn by intercepting and spoofing traffic between the victim's browser and the website. Using this attack, an attacker can intercept key registration and replace their public key with one linked to the account.

Part 3: Methods for Bypassing WebAuthn Without a Physical Device​

3.1 Simulating successful authentication through FIDO2 emulators​

If you can't forge a signature, you can present the system with an already signed response. This is a replay attack. WebAuthn isn't always secure against this if the relying party doesn't store the state of used challenges. In theory, challenges are one-time use, but in practice, errors can occur.

Emulation via passless: passless is a FIDO2 software emulator written in Rust that runs as a virtual UHID device on Linux. Essentially, you create a soft key that appears to the system as a YubiKey. If the site allows you to register a new authorizer, you register yours and then use it to log in.

Emulation via nid-webauthn-emulator: This Node.js library emulates the WebAuthn API directly in the browser, allowing you to test passkeys without physical hardware. An attacker can load this library into the victim's context via XSS and emulate a successful login on their behalf. Its navigator.credentials.get() returns a signed assertion, which the site accepts as valid if it does not check the origin.

3.2. Proxy Relay Attack (MITM on USB/Bluetooth)​

When a victim uses a passkey from a phone to log in to a laptop, the connection is via Bluetooth or USB (roaming authenticator). By intercepting this channel, a signed assertion can be obtained and used to log in.

The typical scenario:

1. You create a malicious Android app that emulates a FIDO2 authorizer and broadcasts itself via Bluetooth.
2. A user (victim) near you is trying to log in to the site.
3. The malicious authenticator intercepts the request, relays it to the remote server where you generate the signature, and returns it back.
4. You have successfully authenticated on behalf of the victim.

Relevance for 2027: CTAP2.1 still does not authenticate the client to the authorizer, making it possible to spoof the client at a distance (within Bluetooth/NFC range). The Evilginx2 tool, known as a MITM proxy for bypassing MFA, is being developed, and its adaptation for WebAuthn is in development. Some researchers have also presented BitM+, an advanced attack capable of bypassing FIDO2 by intercepting and spoofing logins.

3.3. XSS + Malicious Browser Extension: High Tech​

In 2027, a method that combines an XSS vulnerability on the target website with a malicious browser extension is slowly but surely gaining popularity. The attack looks like this:

1. You find XSS on a site that uses passkeys.
2. Implement a script that intercepts navigator.credentials.get() and navigator.credentials.create().
3. When the victim attempts to log in, your script replaces the origin or credential ID.
4. The system thinks that authentication was successful and issues a session token.

If the victim has a malicious extension installed, you don't even need XSS — the extension can intercept WebAuthn API calls on its own. SquareX demonstrated how a malicious extension hijacks WebAuthn calls and manipulates passkey registration or login without breaking the cryptography. The user doesn't notice the substitution because they see the standard passkey selection dialog.

3.4. Disabling Passkey via Downgrade: How to Force a Victim to Use a Password​

The most effective method. You don't need to hack the passkey; you need to prevent the system from asking for it.

Login button analysis. Many websites offer "Password login" or "Email me a magic link." A malicious extension hides the passkey button or replaces its handler.

Conditional mediation manipulation. Immediate mediation is a WebAuthn mechanism that allows you to offer passkey login without entering your username. If you replace the "conditional" flag via JavaScript, the browser won't offer a passkey, and the site will switch to a backup method.

Hacking backup methods. If the user is prompted for an SMS code, intercept it using an SS7 attack or SIM swap. If they offer backup recovery codes, steal them. If they ask for security questions, find out the answers using OSINT. These methods are old, but passkeys haven't completely eliminated them.

3.5. Intercepting session tokens after successful authentication​

Passkeys only protect the initial login. Session tokens and cookies do not.

XSS theft: If a site has XSS, you execute document.cookie and send the cookies to your server. With these cookies, you log in as the victim, even if they have a passkey.

LocalStorage theft: Many sites store the bearer token in localStorage (bad practice, but it does happen). JavaScript steals the token and sends it to you.

Browser theft (post-exploitation): Tools like SharpWeb extract cookies from Chrome, Edge, and Firefox. If you have compromised the victim's computer (RDP, Trojan, phishing), you simply copy the cookies and import them into your browser.

VaultJacking: In May 2026, researchers demonstrated how the VaultJacking attack allows you to extract passkeys from synced storage (Google Password Manager, iCloud Keychain) using just one PIN. Even hardware-based keys are unprotected if they sync via the cloud. Passkey protects your login on a specific website, but it can be stolen from the cloud, making it work on any device. The Passkey's connection to the device is broken as soon as you agree to sync.

3.6. Extracting passkeys from TPM/Secure Enclave​

This is the most difficult and dangerous vector. If you can extract the private key directly from the secure storage, you have permanent access to the account.

From the Windows TPM. Windows 11 stores passkeys as credential providers. Physical access to the device or remote access with SYSTEM privileges allows you to use the Windows Credential Manager API to extract keys. Utilities like Mimikatz can interact with the TPM to request a signature. Extracting the private key itself is impossible, but you can use the TPM as a "black box" for signing the challenges you need. Effective: you don't have the key, but you have the ability to use it.

SEP Exploitation on iOS. PongoOS exploits the Secure Enclave Processor on devices with A8, A9, and A10 chips, allowing you to decrypt firmware protected by hardware keys, gain access to cryptographic operations, and patch the SEP firmware to bypass restrictions. Physical access to a jailbroken device allows you to replace the passkey.

Secure Enclave emulation. Researchers have proven that emulating secure environments (Secure Enclave, TPM) is possible by creating a software replica on another device. Emulating the Secure Enclave with the same keys (extracted via a SEP exploit) allows you to gain complete control over the passkey.

Part 4. Tools and Infrastructure: What's Really Usable​

In 2027, the arsenal of attacks against passkeys includes:

• passless: FIDO2 software authorizer (Rust, virtual UHID device) — for hardware key emulation.
• nid-webauthn-emulator: Node.js library for emulating the WebAuthn API in the browser.
• Evilginx2 (modified version): MITM proxy for intercepting WebAuthn flows in development.
• SharpWeb: Extracting cookies and passwords from browsers for session hijacking.
• Ngrok / Burp Suite Collaborator: Creating public proxies for MITM attacks.

Part 5. Checklist: How to Test the Attackability of a Passkey System​

Before attacking a passkey-protected website, evaluate it based on these points:

• Are there alternative login methods (password, SMS, email)? If so, the goal is weak.
• Is it possible to register your authorizer without verification? If so, you'll get permanent access.
• Is there an XSS vulnerability (manual test)? If so, you can intercept the WebAuthn API.
• Is backup recovery available via code or support? If so, use social engineering.
• Is it possible to intercept the session after a successful login (cookies are not HttpOnly)? If so, you're in; no passkey is needed.
• Is cloud passkey synchronization used? If so, the target is a valuable VaultJacking vector.
• Is a Bluetooth/USB authorizer available? If so, try a MITM proxy.

Summary​

Passkeys don't make an account impenetrable. They simply shift the attack surface. Now, you're not cracking a password — you're cracking the protocol implementation, the session token, the alternative login method, or the device itself.

A combination of XSS and a malicious browser extension bypasses WebAuthn without physical access to the device. FIDO2 emulators forge keys. MITM proxies intercept registration and authentication. Substituting an alternative method (password, SMS) is still the easiest way. Intercepting session cookies after a successful login is an old friend, and Passkeys are no match for it.

A quick one-line reminder:
"Passkeys kill phishing, but they leave session cookies, alternative logins, cloud sync, and Bluetooth MITMs behind. Intercept the token after login, and you don't need a Passkey. Substitute a password for the login button, and the Passkey won't appear. Steal a cookie via XSS, and WebAuthn is powerless." In 2027, biometrics only protect the moment, not the session. Don't break the key — break the path around it.