XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None
Summary
Scott Helme argues that XSS can turn passkeys from phishing-resistant authentication into a persistent account takeover by enabling attacker-controlled registrations when attestation is none. The post explains how passkey registration and authentication work, the risk of in-page MiTM attacks on WebAuthn API calls, and the usability-security trade-offs around attestation, plus practical defenses.