local; the server stores only the public key. Binding to the correct origin means a look-alike site cannot
            complete the cryptographic challenge. No password database to steal, no credential stuffing, and vastly
            reduced phishing.

            That promise is real but incomplete. Passwordless changes your threat model:

               •  You shrink the “remote phishing” surface.

               •  You increase dependence on endpoint integrity, device custody, and account recovery flows.

               •  You introduce cloud sync and enrollment risks that didn’t exist in the same way before.

            Smart programs acknowledge those trade offs and engineer for them.



            New Attack Surfaces in a Passwordless World

            1) Device Theft & Token Loss

            In passwordless deployments, the device is the credential. If a phone or hardware key is lost or stolen—
            and user verification (PIN/biometric) is weak or absent—an attacker might authenticate. Keys can be
            revoked, but only if enrollment and recovery are well designed and monitored. Unlike a password, you
            can’t “change a fingerprint”; you must revoke authenticators quickly and cleanly.

            Mitigate: enforce device unlock (PIN/biometric), short screen-lock timers, disk encryption, and rapid
            revocation paths  for  lost  authenticators. Issue  backup keys kept  offline  in a  safe  place  for  business
            continuity.


            2) Biometric Spoofing & Sensor Failures

            Biometric systems can be spoofed or misread. Public demos have shown that even mainstream face or
            fingerprint systems can fail under specific conditions (many later patched). Biometrics are powerful, but
            fallible—and non-rotatable.

            Mitigate:  prefer  on-device  biometrics  protected  by  secure  enclaves;  require  liveness/anti-spoofing
            settings;  combine  with  user-verification  PIN  for  critical  actions;  and  plan  for  fallback  that  isn’t  easily
            phishable.

            3) Malware & Endpoint Compromise

            Passkeys live on endpoints. If an attacker gains OS-level control, they may hijack sessions, abuse on-
            device APIs, or tamper with UI to trick approvals.

            Mitigate: treat passkey devices as protected assets: EDR/EPP, timely patching, app attestation where
            supported, least-privilege, and browser hardening. Monitor for anomalous authenticator use.








            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          244
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.