Author of the blog here, I actually agree with you the subheading is quite misleading, any tips on what would be more appropriate? "Phishing PassKeys sessions using browser intents" doesn't make much sense to me
I also echo some of the other critiques, which are that passkeys are advertised as phishing resistant and not phishing proof. I do understand that the average user may not grasp the nuance, but you leaned pretty hard into the idea that phishing them should be impossible.
One last recommendation. While I do think this is quite clever and a plausible attack scenario, this relies on the out-of-band authentication scenario. Assuming I’m sitting in the coffee shop or airport and click your link, I’m not going to reach for my phone to scan the QR. I’m going to investigate deeper why the passkey isn’t working directly. If you’re lucky, I’ll assume the site has a bug in passkey authentication and fall back to more phishable creds (if the site has both).
I don’t necessarily think of this as a flaw in your attack, rather that it might muddy the waters for readers that are less familiar and don’t realize that this mode is most commonly used when you are authenticating from a non-default device or made the conscious choice not to use a synced passkey.
I'm not sure I understand what you mean here with:
> I’m not going to reach for my phone to scan the QR
The whole point of the attack is that it can be delivered without you having to scan the QR code, exploiting the fact that browsers allowed (patched) navigation to fido:/ links, initiating the BLE communication to a malicious device that is relaying the communication to the legitimate site, stealing a session. Let me know if that clears up the confusion.
As for phishing resistant/ phishing proof, to some is the same thing, nothing is "anything"-proof so I did not pay too much attention to the wording. Also I just wanted to stress the fact that although some theorized attacks were present, I had not seen anything put in practice before, which is what motivated me to prove it was not impossible.
Thanks for the feedback, will be making changes to the blog to clear up some the the things you have outlined here :)
there are a couple steps before the "1. User scans the QR code" step that readers not embedded in the passkey world might not be familiar with. People who aren't familiar with that flow aren't going to understand the what/why of scanning the qr code to begin with.
I only felt the need to leave a grumpy comment because of the word “credential”, so deleting it might help even if it leaves ambiguity. Otherwise maybe something like “attacker in the middle any site’s passkey authentication using browser intents” sounds more accurate.
