Vishing Attacks Exploit Passkey Enrollment: A New Threat Vector
The Rise of Vishing in a Passkey-Enabled World
As organizations increasingly adopt passkeys for enhanced security, a sophisticated threat vector is emerging: vishing attacks that exploit the passkey enrollment process. While passkeys are designed to be phishing-resistant at a technical level, attackers are leveraging social engineering to manipulate users into inadvertently granting access, bypassing these technical safeguards. This trend poses a significant challenge for enterprise security teams, particularly those utilizing platforms like Microsoft Entra ID, where passkeys are becoming the default authentication method.
How Vishing Undermines Passkey Security
Traditional phishing attacks aim to steal credentials. Passkeys mitigate this by eliminating passwords and tying authentication to specific devices. However, vishing (voice phishing) shifts the attack surface from technical vulnerabilities to human trust. Cybercriminals orchestrate elaborate voice-based social engineering campaigns to guide users through what appears to be a legitimate passkey enrollment process.
The attack typically unfolds as follows:
- Impersonation: The attacker, posing as IT support or a security professional, contacts the target via phone, often with a sense of urgency.
- Manipulation: The victim is convinced that they need to register a new passkey or update their security information.
- Credential Harvesting (Initial Step): During the "enrollment" process, the attacker may first prompt the user for their password and, crucially, for any multi-factor authentication (MFA) codes (e.g., SMS OTP, TOTP, or number-match push).
- Attacker-Controlled Enrollment: While the user is distracted or confused by fabricated instructions (e.g., jotting down a fake recovery phrase), the attacker uses the harvested credentials and MFA codes to log into the victim's legitimate account (e.g., Microsoft Entra ID). They then register their own hardware or device as a new passkey for the victim's account.
Once the attacker registers their own passkey, they gain persistent, phishing-resistant access to the account. Changing the user's password becomes irrelevant; the attacker's passkey provides a direct avenue for future authentication, effectively neutralizing many security controls. This is particularly concerning as the audit trails for such registrations often appear legitimate, making detection difficult [7].
Microsoft Entra ID and the Passkey Mandate
Microsoft is actively pushing for passkey adoption, with passkeys becoming the default authentication method in Microsoft Entra ID starting September 2026 [6, 9]. This strategic move aims to combat credential theft and enhance security by moving away from phishable methods like SMS and voice authentication, which will be retired by February 2027. While this transition significantly strengthens authentication against automated attacks, it also highlights the critical need for robust user education and vigilance against social engineering.
For organizations on Entra ID, users enabled for SMS or voice authentication will automatically be prompted to register a passkey during their next MFA challenge once the rollout reaches their organization [9]. This broad push creates an opportune moment for vishing attacks, as users may be less suspicious of requests to "register a new passkey" due to the ongoing official transition.
The Enterprise Challenge: Beyond Technical Controls
The effectiveness of these vishing attacks underscores a fundamental challenge in cybersecurity: technical controls alone are insufficient against determined social engineers. While passkeys are inherently phishing-resistant, the human element remains the weakest link. Enterprise security teams must recognize that the "device enrollment phase" is now a prime target for attackers [8].
Key actions for enterprise security teams include:
- User Training and Awareness: Conduct regular, targeted training specifically addressing vishing tactics related to passkey enrollment. Emphasize that legitimate IT support will never ask for MFA codes over the phone or guide users through a complex, real-time enrollment process.
- Policy and Process Review: Scrutinize existing passkey enrollment processes to identify potential social engineering vulnerabilities. Consider implementing additional out-of-band verification steps for new passkey registrations, particularly for high-privilege accounts.
- Monitoring and Audit Trail Analysis: Enhance monitoring for unusual passkey registration events, especially those occurring outside of typical working hours or from unfamiliar IP addresses/devices. The
User registered security infoaudit record is a crucial signal [7]. Correlate these events with other security logs. - Strict Communication Guidelines: Establish clear, internally publicized guidelines for how IT and security teams will — and will not — communicate with users about password resets, MFA, and passkey enrollments. Users should be empowered to question and report suspicious requests.
- Phishing Simulation with Vishing Elements: Incorporate simulated vishing attacks into regular security awareness programs to test user resilience and identify training gaps.
Moving Forward
The shift to passkeys marks a significant step forward in authentication security. However, the adaptability of threat actors, particularly their proficiency in social engineering, dictates that enterprise security strategies must evolve in parallel. By focusing on comprehensive user education, robust detection mechanisms, and secure enrollment processes, organizations can minimize the risk posed by vishing attacks and fully leverage the benefits of passkey technology. Ignoring the human element in the push for passwordless authentication is no longer an option. Failure to act now can lead to attackers establishing persistent access, even in environments with otherwise strong technical security. Organizations must proactive a defense-in-depth approach that includes the human factor as a critical layer of protection.}}