Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Protect your critical information from Authentication Method Redaction (AMR) attacks.
In the past year, the uptake of passkeys has surged, with industry giants such as Apple, Microsoft and Google championing their adoption. Joe Stewart, Principal Security Researcher with eSentire’s Threat Response Unit (TRU), has been reviewing many of the leading software providers’ implementation of passkey technology and their current “authentication process.”
Regrettably, Stewart found that cybercriminals can still break into accounts protected by passkey technology on many online platforms, such as banking, e-commerce, social media, website domain name administration, software development platforms and cloud accounts, by using Adversary-in-the-Middle (AitM) phishing attacks.
Stewart explains in this blog how passkeys are designed to work, how threat actors can currently circumvent passkey security, and the steps that online software providers and websites, that use or intend to use passkey technology, must take to ensure that their passkey implementation is secure from threat actors.
So, what is a passkey exactly? A passkey is a virtual form of the FIDO2 hardware security keys, like the Yubikey. They both securely store a private key that can cryptographically sign a challenge, from a website, to prove your identity. The difference is that with passkeys, the private key can now be stored in your computer or mobile device, using a secure hardware enclave or password manager.
In addition to being both convenient and more secure, than easily stolen or guessed passwords, passkeys serve as a safeguard against AitM phishing attacks (if they are implemented correctly). This is because passkeys not only authenticate the user to the website, but they also authenticate the website to the user.
Passkeys are built upon the WebAuthn protocol - a core component of the FIDO2 standard that hardware security keys rely upon. Given that passkeys and hardware security keys share a common foundation in WebAuthn and considering that the term “passkey” is becoming increasingly familiar to end-users, we’ll use this term, throughout the blog, to mean any kind of WebAuthn/FIDO2-based authenticator for simplicity.
The benefits to using passkeys are clear – not only do they offer superior security and convenience over passwords, but they can also provide protection against the newest phishing methods that bypass first-generation, multi-factor authentication methods using the AitM approach.
The operative word here though is “can” because in reviewing the implementation of several of the most popular software service’s passkey authentication flow, nearly all of them can still be bypassed by AitM phishing, using authentication method redaction attacks. This is because most website passkey implementations still offer less-secure backup authentication methods, even when a passkey has been added to the account.
Since the AitM can manipulate the view presented to the user by modifying HTML, CSS and images or JavaScript in the login page, as it is proxied through to the end user, they can control the authentication flow and remove all references to passkey authentication. In the case where passkeys are used as a first-factor authentication method only, the downgraded authentication flow is now vulnerable to AitM. The graphic below shows a typical login-flow with and without an authentication method redaction attack in play.
To demonstrate, we used the open-source Evilginx AitM software to simulate a phishing attack against Github. Evilginx uses site-specific configuration files called “phishlets” to define the behavior of the Evilginx proxy.
In this case, we used the standard Github phishlet that can be found in various user repositories on Github itself. When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal Github login page, because it is the actual Github login page, just proxied through Evilginx:
However, with a slight change to the standard phishlet configuration, we can force removal of the “Sign in with a passkey” text:
Unless the user specifically remembers that they should see a passkey option, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account.
In the case where passkeys are used as a second factor, things can become slightly harder for the attacker, but not if one or more fallback methods are offered:
Here again, it would be trivial for the attacker to re-write the HTML of the page to delete the passkey authentication method, and/or use injected JavaScript to click on one of the alternate methods, jumping forward in the authentication flow automatically so that the user isn’t even aware there was a choice. Since second-factor methods, such as an authenticator app or recovery code are not AitM-resistant, the attacker will once again be able to capture all credentials and tokens/cookies they require to access the account.
It's also important to keep in mind that if the passkey is used as the second factor, then an AitM attacker will have already captured, at the very least, the username, phone number or email address of the victim, and additionally in most websites we looked at, the password of the victim.
Depending on the authentication flow, they might be prevented from continuing to authenticate to the target site. However, having the password for the account may allow for password-spray attacks against other websites the victim has an account on, which is another reason passwords should always be complex and unique per website.
And, if the passkey for the website is ever removed from the user’s account and no other authentication factor replaces it, the original account may now be vulnerable to takeover by the attacker at a later date.
Github is not the only example of flawed passkey implementation. Most passkey implementations we found listed on https://passkeys.directory/ were also vulnerable to similar authentication method redaction attacks. For example, when logging into a personal account, Microsoft also offers passkeys as a login option if you click the “Sign-in options” link at the bottom of the page:
However, if that link is hidden by the AitM proxy, the usual username+password flow is all the user will see and they are at risk of having those credentials stolen by the attacker if they proceed. But Microsoft has introduced a new “passwordless” option for consumer accounts – which “could” theoretically negate this style of attack.
Unfortunately, instead of allowing the user to log in with the passkey alone, the passwordless account option from Microsoft requires the use of the Microsoft Authenticator application as the sole method of identity verification, and this flow is still vulnerable to AitM attacks since it authenticates the attacker-controlled session.
However, enterprise users of Microsoft’s Entra ID (formerly known as Azure AD) and Intune products can still defend against AitM attacks with properly implemented Conditional Access policies, such as enforcing device login from “domain-joined, policy-compliant, managed devices” only.
Enterprise Identity and Access Management (IAM) solutions tend to be more flexible in terms of letting the tenant administrator define the login and account recovery flow for the organization, groups or individual users. When this is the case, it may be possible to define a secure, passwordless login flow using passkeys, that isn’t vulnerable to authentication method redaction attacks.
We were pleased to see that the open-source Keycloak IAM software has this capability, hopefully setting a benchmark for subscription-based Infrastructure-as-a-Service (IaaS) solutions to follow.
The reason that authentication method redaction attacks are possible isn’t necessarily a technical failure, in the sense that it’s a bug, but rather:
If it weren’t for the need for account recovery, an AitM-resistant passkey authentication flow could be fairly straightforward, abandoning passwords alogether in favor of passkeys. Unfortunately, we live in the real world and passkeys will be inevitably lost due to device loss/reset. As a partial solution, passkeys can be managed by a password manager, which offers greater resilience against loss, and yet the tradeoff is that the security of the password manager vault, itself, is now dependent on a master password and a second secret code at best.
Obviously, having multiple passkeys is the direction we should steer computer users, especially if at least one is a hardware key safely stored and secured by a PIN. But given that passkey adoption is still early, of the remaining methods, the magic link is probably the most secure method to recover an account in the case of passkey/security key loss or AitM authentication flow manipulation.
Of course, it means the account you are logging into is only as secure as your email inbox or the SMS network, which is “not very,” so extra security layers should be involved in the use of these links (e.g. randomly-generated one-time link with short timeout, login from previously authenticated IP addresses only, security questions or backup code entry in this session outside of AitM control).
To enhance the security of using magic links as a fallback authentication method for passkeys, we propose the concept of “warded links.” This new term, coined to signify a higher level of protection, implies that the magic link is fortified with additional security measures.
A warded link ensures that after the user clicks the link received via email, they are presented with a new secure authentication flow, isolated from any existing AitM-compromised session. This new flow also requests passkey authentication if the user account has it enabled, or the user can select from alternative MFA methods such as a mobile authenticator or code via email if a passkey is unavailable.
By implementing warded links, the security of the fallback authentication process is significantly bolstered, protecting the account against unauthorized access even if the attacker gains read access to the user’s inbox.
In short, currently there is no “perfect” combination of recovery method that satisfies the requirements of being AitM-resistant, secure against other attack vectors, while at the same time providing as little friction as possible to the user experience. Perhaps such a solution will be invented in the future, but for now, the best we can do is recommend some best practices for architecting authentication and account recovery flow using passkeys:
If you are not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
Joe Stewart is a Principal Security Researcher with eSentire’s Threat Response Unit (TRU). As one of the industry’s leading security researchers, Stewart uncovered many of the top cyberthreats that have emerged in the past twenty years, as detailed in the books Fatal System Error by award-winning, Washington Post reporter Joseph Menn and Zero Day Threat by award-winning, former USA Today reporter, Byron Acohido. Stewart’s research has also appeared on the cover of Businessweek, in the Wall Street Journal, on 60 Minutes, and in the top cybersecurity publications globally.
While with eSentire, Stewart’s research has been featured in Forbes, Wired and numerous other business and security media outlets. Prior to joining eSentire, Stewart spent 17 years as Director of Malware Research for Secureworks, a cybersecurity division of Dell. He has also served as Principal Threat Researcher with PhishLabs, a cyber threat intelligence company, now part of Fortra.