XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

A single XSS vulnerability can silently register an attacker-controlled passkey on a victim's account, creating a persistent authentication backdoor. This is possible because most services use `attestation: "none"` to support synced passkeys from password managers like 1Password and iCloud Keychain — which cannot provide hardware attestation. Without attestation, the entire passkey registration flow can be replicated in JavaScript, requiring no user interaction. Attackers can also proxy WebAuthn API calls to substitute the victim's passkey with their own, leaving the victim with a non-functional passkey while the attacker retains access. Defenses include requiring step-up authentication before passkey registration, deploying a strong Content Security Policy, using Permissions Policy to restrict WebAuthn API access, and sending out-of-band notifications when new passkeys are registered.