Skip to main content

Risk Engine: Containing Passkey Clickjacking with Context-Aware Security

· 2 min read
Lukasz Radosz

There was a lot of discussion about Passkey security during Black Hat this year. The takeaway wasn’t that passkeys are cryptographically weak—it’s that the UI and password managers can be coerced. With overlay/clickjacking tricks, a user can be nudged into confirming a legitimate “Use passkey” prompt. The private key stays safe; the risk is an unintended approval event and the session that follows.

At SecureAuth, we contain that by binding authentication and the resulting session to a stable device fingerprint and the surrounding context. We evaluate deterministic browser/OS signals (and attestation when available), along with IP/ASN reputation, geovelocity, time-of-day, cookie maturity, and automation indicators at the exact moment of the passkey approval. If the device has materially drifted or the context is inconsistent with the user’s baseline, policy either blocks or requires a quick step-up; after login, continuous session re-binding makes replay from a different device, network, or TLS profile short-lived.

In a clickjacking scenario, even if the page tricks the click, the request still has to look like the owner’s device in the owner’s context—or it doesn’t complete. Passkey lifecycle is likewise constrained: add/rotate is permitted only from high-assurance devices and low-risk conditions.

Learn more about our approach to Authentication security: Risk Engine: Smarter security in action