Skip to content

Cyber Security Online Store

Passkey Security: Attackers Target Enrollment

  • by
Passkey authentication protected by digital shields

Editorial note: This article is defensive and educational. It does not include exploit code, live indicators for abuse, or instructions for unauthorized access.

Passkey security remains one of the strongest improvements in modern identity protection, but attackers are adapting. The latest concern is not that criminals have broken passkey cryptography. Instead, security reporting from Okta and others shows threat actors targeting the registration process through social engineering, vishing, and fake enrollment workflows.

That distinction matters. A passkey can be technically strong while the process for enrolling one is still vulnerable to human manipulation. If an attacker convinces a user to approve or register an attacker-controlled credential, the organization may face an account takeover without the attacker needing to defeat the passkey itself.

What Changed

Passwordless adoption is growing. More organizations are encouraging employees to enroll passkeys for Microsoft 365, Microsoft Entra ID, and other identity systems. Attackers have noticed that enrollment is a moment of uncertainty. Users may not know exactly what the legitimate process should look like, and help desk calls or security prompts may feel routine.

Okta reported a campaign in which vishing and a phishing kit were used to guide victims through a fake or attacker-controlled passkey enrollment flow. The reported activity shows how criminals can abuse trust in IT support, urgency, and authentication prompts.

Why Passkeys Remain Secure

Passkeys are designed to reduce phishing risk by binding authentication to devices, biometrics, and origin-aware cryptographic flows. In normal use, they are far safer than passwords and one-time codes. The current issue does not mean passkeys are weak. It means organizations must secure the lifecycle around passkeys: enrollment, recovery, device changes, help desk workflows, and user education.

How Criminals Abuse Trust

Social engineering works because it turns security behavior into a script. A caller may claim to be from IT. A fake page may resemble an identity workflow. A user may be told that enrollment is urgent or required to avoid losing access. The attacker’s goal is to make the user cooperate with an account action that benefits the attacker.

This is why identity security is no longer only about technical controls. It also depends on whether employees can distinguish a legitimate enrollment request from a manipulated one.

Business Impact

  • Account takeover can expose email, files, chat logs, and business applications.
  • Compromised Microsoft 365 accounts can be used for internal phishing and data theft.
  • Help desk processes may be abused if identity verification is weak.
  • Incident response becomes harder if the attacker registers a strong credential under false pretenses.

Best Practices

  • Publish a clear passkey enrollment policy with screenshots of the legitimate process.
  • Never enroll a passkey because of an unsolicited phone call.
  • Require users to start enrollment from the official company portal, not from links in calls, chats, or emails.
  • Use conditional access and risk-based checks for new authentication methods.
  • Alert security teams when a new passkey is registered for high-risk users.
  • Train help desk staff to verify identity before assisting with authentication changes.
  • Review passkey registrations during account compromise investigations.

FAQ

Are passkeys still safer than passwords?

Yes. Passkeys remain a strong protection against many phishing and credential theft attacks. The reported issue targets enrollment behavior, not the core passkey design.

What should employees do if someone calls about passkey setup?

End the call and start from the company’s official identity portal or known help desk number.

Can attackers register a passkey without user interaction?

Controls vary by environment, but these reported campaigns depend heavily on tricking users during the enrollment process.

What should businesses monitor?

Monitor new authentication methods, unusual device enrollment, help desk reset requests, and risky sign-in patterns after enrollment.

Conclusion

Passkey security is still a major step forward, but enrollment must be treated as a sensitive identity event. Organizations should pair passwordless adoption with user education, monitoring, and strict help desk procedures.

How Organizations Should Secure Passkey Enrollment

Passkey enrollment should be handled like a privileged identity event. That means companies need a documented process, visible employee guidance, and monitoring that distinguishes normal enrollment from unusual activity. If a user enrolls a new passkey shortly after an unsolicited phone call, from an unusual location, or during a suspicious sign-in sequence, security teams should review it quickly.

Training also needs to be specific. Generic warnings about phishing are not enough. Employees should know that IT will not call and ask them to enroll a passkey through a link, approve a prompt without context, or share one-time codes during setup. They should be taught to stop the interaction, open the official company portal manually, and contact the help desk through a known channel.

Controls for Microsoft Entra and Similar Identity Systems

Administrators should review who is allowed to register authentication methods, when step-up verification is required, and how high-risk users are protected. Conditional access policies, authentication strength rules, device compliance checks, and alerts for new credential registration can reduce the window for abuse. Help desk teams should also follow strict identity proofing before resetting MFA or assisting with passkey setup.

Incident response playbooks should include passkey review. When an account is suspected of compromise, responders should inspect recently added authentication methods, revoke unfamiliar sessions, reset recovery options, and verify trusted devices. The point is not to distrust passkeys. The point is to protect the ceremony around creating them.

Suggested Internal Links

Authoritative External References

Leave a Reply

Your email address will not be published. Required fields are marked *