“We used the standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When the targeted user visits the lure URL, other than the hostname in the URL bar, what they will see looks just like the normal GitHub login page, because it is the actual GitHub login page, just proxied through Evilginx.”

However, by slightly modifying the standard phishlet configuration, we can remove the “Sign in with a passkey” text, Stewart added demonstrating how easily a user can be tricked into choosing a backup, password-based authentication.

The study noted that these kinds of attacks can be staged for cases where passkeys are used as the first factor as well as the second-factor authentication method. “Unless the user specifically remembers that they should see a passkey option, they will most likely simply enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to the account,” Stewart added.