Yesterday, we addressed a common misconception floating around the cybersecurity world—that passkeys are somehow unsafe or cracked. Spoiler alert: they’re not. But today, we’re spotlighting a twist that’s got our full attention here at CyberStreams.

Passkeys are the future of secure login—no doubt about it. But there's a sneaky, increasingly popular attack vector that's threatening that security: Adversary-in-the-Middle (AitM) attacks. This isn’t some isolated issue. From law firms to universities, non-profits to manufacturers, everyone is feeling the heat.

Passkeys: Still Solid—If Deployed Correctly

Passkeys are designed to be phishing-resistant. They use biometrics and cryptographic keys tied to specific websites, eliminating the need for passwords entirely. In theory, this means safer logins, happier users, and fewer breaches.

But in practice? Sloppy implementation leaves room for exploitation.

Tools like Evilginx allow attackers to act as a proxy between a user and a legitimate login page—say, your law firm’s case management system. These attackers don’t “break” the passkey system; instead, they hide it. It’s called Authentication Method Redaction (AMR): by concealing the passkey option, they trick users into opting for a weaker backup method, like a password or SMS code.

Once that fallback method is used, attackers snatch credentials—and just like that, they're in.

According to the 2024 Verizon Data Breach Investigations Report, 60% of breaches involve stolen credentials. This isn’t just a stat. It's a warning.

Why It Matters More Than Ever

Industries run on trust—think client files, student data, donor info, proprietary production processes. Meanwhile, remote work has risen 44% since 2020 (thanks, Gallup), increasing exposure as people log in from coffee shops, home networks, or mobile hotspots. Often, fallback login options are available “just in case”—but those options are exactly what AitM attackers are exploiting.

It’s important to understand: the weakness isn’t in passkeys—it’s in the rollout.

Big players like Microsoft and Google are pushing for widespread adoption, and Gartner predicts 50% of organizations will be using passkeys by 2027. But if your setup still allows passwords as a backup method? You're leaving the digital door cracked open.

Real Clients, Real Threats

We’ve been monitoring this threat since last year. It’s less about tech glitches and more about social engineering—tricking people, not machines. Whether it’s a factory in Tacoma or a legal team in Seattle, our clients trust us to identify and eliminate these risks.

With the average data breach costing $4.5 million (IBM, 2023), you can’t afford to be reactive.

Three Key Takeaways to Secure Your Setup

1. Ditch the Fallbacks
   Work with your IT team to eliminate weak login options. If you’ve adopted passkeys, they should be the only way in.

2. Spot the Phish
   Keep your employees sharp with regular, quick phishing awareness training. A couple of minutes a week can make all the difference.

3. Test Your Defenses
   Run mock phishing campaigns. See who gets tricked—and use that as a teaching moment to tighten your human firewall.

Conclusion: It’s Not the Lock, It’s the Doorframe

Passkeys are absolutely the right move for secure, modern authentication—but only when deployed with intention and discipline. As attackers evolve, so must our defenses. The technology is sound. The risk lies in the details.

Don’t leave the door open. Lock it down. Your data, your clients, and your reputation depend on it.