Hey everyone, Pat Reeves here, back on botsec.net. It’s March 2026, and if you’re like me, you’re probably still reeling a bit from the sheer audacity of some of the botnet activity we saw last year. While the big headlines focused on the DDoS attacks and data exfiltration, something else has been quietly bubbling under the surface, something that, frankly, keeps me up at night: the increasingly sophisticated tactics bots are using to bypass traditional authentication methods, especially with the rise of passkeys.
We’ve been told passkeys are the future, right? Phishing-resistant, cryptographically secure, device-bound. And for good reason, they address a ton of old pain points. But what happens when the very mechanism designed to protect us becomes a vector for compromise, not through a flaw in the cryptography itself, but in the way it’s implemented and, crucially, in how bots learn to manipulate the human element around it?
The Passkey Paradox: A New Bot Frontier
Think about it. The promise of passkeys is that they eliminate shared secrets (passwords) and require user interaction on a trusted device. Great! No more credential stuffing, no more spraying, no more simple dictionary attacks. But bots, bless their persistent little digital hearts, don’t just give up. They adapt. And what I’ve been seeing, particularly in account takeover (ATO) attempts on platforms that have fully embraced passkeys, is a shift towards social engineering at scale, weaponized by automation.
My own recent experience with a client, a mid-sized e-commerce platform that went all-in on passkeys last summer, really opened my eyes. They saw a massive drop in traditional credential-based attacks, which was fantastic. But then, about three months ago, they started noticing a spike in “failed login” attempts that were… different. These weren’t password failures; these were attempts to initiate passkey registration or recovery from unrecognized devices, often followed by a flurry of support requests from legitimate users claiming their accounts were being “hacked” despite having passkeys enabled.
What we uncovered was a multi-stage attack. Bots weren’t trying to guess passkeys; they were trying to trick users into *generating* or *approving* new passkeys on attacker-controlled devices, or coercing them into resetting existing ones. It’s a twist on the old “approve this login” MFA fatigue, but with higher stakes because a compromised passkey means full account control.
Bot-Driven Passkey Hijacks: How It Works
Let’s break down the new bot playbook for passkey compromise. It’s not about brute-forcing. It’s about sophisticated social engineering at scale, amplified by automation.
- Reconnaissance and Spear-Phishing Lite: Bots scrape public data, social media, and even dark web dumps for email addresses and phone numbers. They then cross-reference these with target platforms. The goal isn’t to get a password, but to identify active users.
- The “New Device” Bait: A bot, often mimicking a legitimate browser or mobile app, attempts to initiate a login or passkey registration for a known user on the target platform. Since the user doesn’t have a passkey registered on that specific device (the bot’s simulated environment), the platform often prompts for an alternative verification method or to “add a new passkey.”
- Automated Social Engineering (ASE): This is where the magic (or rather, the menace) happens. The bot, having triggered a legitimate system notification (email, SMS, push notification from the app itself), then immediately follows up with a targeted phishing attempt. This isn’t a generic “reset your password” email. It’s highly contextual.
Imagine this scenario:
- You get a legitimate push notification from your banking app: “New passkey registration attempt detected from an unknown device. If this was you, approve. If not, click here to secure your account.”
- Simultaneously, you receive a meticulously crafted email, seemingly from your bank’s security team, with a subject like: “Urgent: Unauthorized Passkey Registration Detected – Action Required.”
- The email’s content is tailored, perhaps even referencing the specific time of the attempted registration. It directs you to a phishing page that looks identical to your bank’s security portal.
- On this phishing page, you’re prompted to “verify your identity” by entering your old password (if the bank still supports it for recovery), or, more insidiously, to “revoke unauthorized passkeys” which actually prompts you to *register a new passkey* on the attacker’s device, disguised as a security measure.
The key here is the *timing* and the *context*. Bots coordinate these actions at scale, hitting thousands of users simultaneously. The user, seeing a legitimate notification from the app and a very convincing, timely email, is far more likely to fall for it than a generic phishing scam.
Practical Defense Strategies Against Bot-Driven Passkey Abuse
So, what can we do? We can’t throw out passkeys; they’re still a massive leap forward. But we need to be smarter about how we deploy and protect them. Here are a few things I’ve been advising clients on, with some practical examples.
1. Strengthen Your “New Passkey” Registration Flow
This is the most critical vulnerability. If an attacker can trick a user into registering a new passkey on their device, it’s game over. You need multiple layers of verification here, beyond just the initial passkey prompt.
- Mandatory Second Factor for New Registrations: Even if a user is already logged in, requiring an additional, out-of-band verification (like a one-time code sent to a *pre-registered* phone number or email, not one provided during the registration attempt) for *any* new passkey registration or replacement is crucial.
- Device Attestation (where possible): While not foolproof, incorporating device attestation checks during passkey registration can help filter out obvious virtual machines or emulators that bots might be using. This isn’t about blocking legitimate users, but about adding friction for known attacker environments.
- Rate Limiting and Anomaly Detection: This is classic bot defense, but it applies even more here. Aggressive rate limiting on passkey registration attempts from single IPs or IP ranges, coupled with behavioral anomaly detection (e.g., a user suddenly attempting to register 5 new passkeys in an hour from different geographical locations), can flag suspicious activity.
// Example: Pseudocode for a solid new passkey registration flow
function registerNewPasskey(userId, webauthnCredential) {
// 1. Check existing session and authentication strength
if (!isAuthenticatedStrongly(userId)) {
// Force re-authentication or additional MFA
initiateMFAChallenge(userId, "new_passkey_registration");
return; // Wait for MFA completion
}
// 2. Perform FIDO2 attestation validation
if (!validateWebAuthnAttestation(webauthnCredential)) {
logSecurityAlert(userId, "Invalid WebAuthn attestation during new passkey registration");
return;
}
// 3. Optional: Device fingerprinting/attestation check (server-side)
if (isSuspiciousDeviceFingerprint(request.headers['User-Agent'], request.ip)) {
logSecurityAlert(userId, "Suspicious device fingerprint for new passkey registration");
initiateMFAChallenge(userId, "suspicious_device_new_passkey");
return;
}
// 4. Rate limit check for new passkeys per user/IP
if (rateLimitExceeded("new_passkey_registration", userId, request.ip)) {
logSecurityAlert(userId, "Rate limit exceeded for new passkey registration");
return;
}
// 5. Store the new passkey credential
storeUserPasskey(userId, webauthnCredential);
sendUserNotification(userId, "New passkey successfully registered.");
}
2. Enhance Account Recovery Processes
Account recovery is another prime target. If an attacker can initiate a recovery flow and then social engineer the user into approving it, they’ve got a backdoor.
- Delay Account Recovery: Implement a mandatory waiting period (e.g., 24-48 hours) for critical account recovery actions, especially those that involve replacing all existing passkeys. During this time, notify the user aggressively via all known communication channels. This gives the legitimate user a chance to intervene.
- Video KYC or Live Agent Verification for Full Reset: For situations where a user has lost all passkeys and other recovery methods, consider requiring a live video verification with a support agent. It’s a high-friction solution, but for critical accounts, it’s a strong deterrent against automated social engineering.
- “Break Glass” Passkeys: For internal admin accounts or highly sensitive systems, consider having a physical “break glass” passkey stored in a secure, audited location, requiring multiple approvals to use. This isn’t for consumer accounts, but for high-value targets, it’s a must.
3. User Education That Actually Works
We’ve been doing “user education” for decades, and honestly, most of it falls flat. For passkeys, we need targeted, timely, and specific guidance.
- “What to Expect” Guides: Clearly explain to users what legitimate passkey notifications and recovery processes look like. Show screenshots.
- “What NOT to Do” Alerts: Specifically warn users against approving passkey registrations they didn’t initiate, or clicking links in emails that claim to “revoke” passkeys, especially if they didn’t just attempt a security action themselves.
- In-App Security Check-ups: Provide an easy-to-find section in your app or website where users can view all registered passkeys, their origin (if possible), and revoke them. Make it simple and intuitive.
// Example: In-app prompt for suspicious activity
function displaySuspiciousActivityWarning(userId, activityDetails) {
const warningMessage = `
⚠ Suspicious Activity Detected!
We detected an attempt to register a new passkey for your account from an unrecognized device (${activityDetails.ipAddress} - ${activityDetails.location}) at ${activityDetails.timestamp}.
If this was you, you can safely ignore this. If this was NOT you, please take action immediately:
- Go to your Security Settings to review and revoke passkeys.
- Change your other recovery methods (e.g., email password).
- Contact support if you need assistance.
`;
document.getElementById('security-alert-banner').innerHTML = warningMessage;
document.getElementById('security-alert-banner').style.display = 'block';
}
This kind of direct, in-app warning, triggered by the same bot activity we’re trying to defend against, can be incredibly effective.
Actionable Takeaways for Bot Security Pros
The space of bot attacks is always shifting. Passkeys are great, but they’re not a silver bullet, and attackers are already finding new ways to exploit the human element around them. Here’s my punch list for you:
- Audit Your Passkey Flows: Go through every single passkey-related flow �� registration, login, recovery, revocation – with a bot attacker’s mindset. Where can a bot interject social engineering?
- Layered Verification is Key: Never rely on a single factor for high-impact actions like new passkey registration or full account recovery. Add out-of-band MFA.
- Educate, Don’t Just Inform: Design user education that’s proactive, highly specific to passkey threats, and integrated directly into your application’s security features.
- Monitor for Anomalies: Keep a close eye on your logs for unusual patterns in passkey registration attempts, recovery requests, and user support tickets related to these. Bots operate at scale, and those patterns will emerge.
- Don’t Forget the Basics: While focusing on passkeys, don’t neglect your fundamental bot defenses for other parts of your application: strong rate limiting, IP reputation, behavioral analysis, and CAPTCHAs where appropriate. Bots might be evolving, but they still leave footprints.
The future of authentication is strong, but only if we anticipate how the bad actors will try to subvert it. Stay vigilant, stay secure, and I’ll catch you next time here on botsec.net.
Related Articles
- AI bot data privacy protection
- My Take: OmniMind AI is a Security Nightmare
- AI Safety News Today: Urgent Updates & Expert Insights
🕒 Last updated: · Originally published: March 17, 2026