Passkey sign ups are at risk of account pre‑hijacking

[chrisciszak]

Hey

Can someone explain why Ory would allow to sign up with passkey using an email without actually verifying the ownership of the email first?

Imagine the following scenario where I managed to hijack an account:

1. Attacker signs up with passkey using Alice's email address.
2. Alice tries to sign up and fails because the account already exists.
3. Alice goes to login and because she doesn't own the passkey she goes through account recovery flow.
4. Alice completes the recovery flow.
5. Attacker can now login using the passkey they signed up with and use Alice's account with no restrictions.

Should't the passkey sign up have a required step to verify email ownership via OTP before the passkey is considered valid?

Require email verification before login doesn't solve this as passkeys bypass this anyway.

[vinckr]

Hello @chrisciszak
it depends on your threat model / risk profile.

The scenario you described is a bit of niche edge case, because it requires the attacker to re-check if they can login already, and the enduser to ever actually verify her address. But with some targeted social engineering this could be feasible.

To solve the specific scenario that you described there would need to be additional verification steps during registration and only if the end-user passes the verification the record is created in the DB.
For most of Ory users this additional friction would not be acceptable - reduced friction is one of the main reasons to use passkeys afaik.

The only way this can be solved right now is to force the user to review all auth methods on every login.