Passkey Syncing Fraud: The New Attack Vector Everyone Saw Coming

The Promise of Passkeys — and the Hidden Tradeoff

The introduction of passkeys as a replacement for passwords was guided by a simple, yet incredibly elegant idea: eliminate passwords entirely and replace them with cryptographically secure credentials stored on users’ devices. No shared secrets, no phishing, no password reuse. In theory, it was the perfect solution.

To drive wider adoption of passkeys, a compromise was made at a critical juncture to favor convenience to help accelerate expansion. Most notable among these compromises was passkey syncing across devices. Apple, Google, and others introduced the ability to store passkeys in the cloud, allowing users to restore them simply by signing into their iCloud or Google account on a new device. On paper, this made sense. In practice, it quietly reintroduced one of the very weaknesses passkeys were meant to eliminate.

The Reality: Convenience Becomes an Attack Surface

Fraud prevention professionals have long warned: if the passkey is backed up to the cloud, the security is only as strong as the account login credentials and 2FA method for that cloud provider. That theoretical weakness is now being exploited in the wild.

Recently, Prove has been investigating a troubling trend, one that points to a shift in attack strategy. More attacks are moving away from traditional password-based phishing and towards exploiting the system environment to bypass the strongest forms of MFA. Organizations are seeing fraud incidents spanning three authentication types: (1) Passkey authentication (similar to FIDO2), (2) Time-based OTP (TOTP), such as Google Authenticator or Okta Verify, and (3) FIDO U2F hardware keys, like YubiKeys. The question proposed by one client to Prove was whether a SIM swap occurred around the time of the fraudulent device-based authentication. After detailed analysis, Prove identified evidence of SIM swap around the same time as the account takeover (ATO) event in roughly 19% of ATO fraud for both passkey authentication and the TOTP authentication.

The company reported a drop in SIM swaps affecting their SMS authentication. This is a common pattern in fraud: as controls are implemented, fraudsters adapt and seek new vulnerabilities. In this example the fraudsters aren’t stopping SIM swapping altogether, they are doing it to “sync” (or restore to another phone) the passkey or TOTP authentication to another fraudulent device. The key takeaway here is that while one authentication method might show minimal SIM swap activity, the threat can simply shift to other authentication flows that are now being targeted.

How Passkey Syncing Fraud Happens Behind the Scenes

Passkey syncing fraud exploits the convenience that makes modern digital ecosystems so seamless. It’s commonly understood by users and developers alike that devices automatically synchronize authentication material (e.g., passwords and passkeys) across a user’s trusted devices through cloud-based keychain services. When everything is working as intended, this creates a smooth and secure user experience. But in the hands of a fraudster who manages to infiltrate that ecosystem, the same convenience can be turned into a powerful attack vector.

The sequence typically begins with an attacker gaining access to the victim’s broader digital identity, usually by compromising the account that anchors their cloud services. This account then functions as the “source of truth” for devices, backups, messages, and saved authentication keys. Once the attacker obtains both the sign-in credentials and the ability to intercept the victim’s phone number, they can impersonate the legitimate user well enough to satisfy the ecosystem’s identity checks.

With that foothold, the attacker introduces their own device into the victim’s trusted circle. Cloud systems are designed to treat every signed-in device as belonging to the same person, so they willingly deliver synchronized data to whatever device appears legitimate. This includes the passkeys and passwords that are meant to replace or supplement traditional login credentials. From the attacker’s perspective, it’s as though the victim’s digital key ring simply drops into their pocket.

Once those credentials are synced to the attacker’s device, they can access downstream banking, financial platforms, crypto exchanges, and other accounts that are tied to passkey-based authentication. Critically, this access persists even if the victim later regains control of their phone number or realizes something is wrong. The attacker’s device remains authorized unless explicitly removed by the user.

This dynamic makes the attack particularly insidious: nothing “breaks” on the victim’s end. Their own devices continue working normally, and the cloud continues syncing normally. The exception is that now, it is syncing to an additional, unauthorized device.

What’s happening is a clever misuse of existing features designed for convenience. Attackers aren’t defeating passkey cryptography. They’re manipulating the identity and device-trust assumptions around it. As long as an attacker successfully convinces the cloud ecosystem that their device belongs to the rightful user, the system willingly hands over everything it’s designed to sync.

Prove has researched the steps needed to sync passkeys via NFC or remotely. For additional information on how these steps are taken please reach out here for this information.

Two Ways to Protect Yourself as a Consumer

Defensive measures center around ensuring that only legitimate devices remain trusted, and that users periodically audit which devices have access to their cloud-stored credentials. Some individuals also choose to reduce their reliance on automatic syncing entirely, particularly for high-stakes accounts. Longer-term, platform providers could offer more granular controls that allow users to opt out of syncing passkeys for specific, high-risk services while retaining convenience for less sensitive ones.

If someone suspects that an unauthorized individual might have logged into their account, here is how they can protect themselves on iOS:

Go to Settings >> click the AppleID name at the top >> scroll down to see all the devices that are logged into the AppleID >> click on the device that is not recognized >> click “Remove from Account” and that unrecognized device will be logged out of the AppleID account on their device.

Another preventative measure here is to disable cloud-syncing of your passwords and passkeys. To do this go to Settings >> iCloud >> in the “Saved to Cloud” section, click Passwords >> and turn off “Sync this Phone.” Keep in mind, there will be more friction to set up the passkey whenever a device is lost or replaced due to an upgrade, which will be for every website you created a passkey. This may be tedious depending on how many passkeys you have.

A fix for Apple and Google to consider would be allowing users to turn off syncing for specific company-based passkeys. For example, a user may want to protect their primary bank and crypto account by disabling the passkey syncing only for these few high risk accounts in order to avoid this risk. This would then continue to allow the convenience of downloading the passkeys to new devices for the sites that are less consequential.

Why This Matters

The FIDO2 WebAuthn architecture was designed so that the private key never leaves the device’s secure enclave. Syncing (via the cloud or NFC) breaks the intended security of that design in favor of adoption. Once a passkey can be downloaded to another device, even via a legitimate restore mechanism, the authentication model reverts to similar trust issues that plague password-based systems. To be clear, Passkeys are secure and are a great step forward for convenience and security for businesses and consumers. It is also good to face head-on the threats that continually emerge.

How Prove Unified Authentication Can Help

At Prove, we believe authentication must validate device integrity, not just possession of a credential.

The Prove Unified Authentication solution introduces a dynamic layer that can detect potential syncing risk with passkey authentication.  This helps businesses understand when risks are present and to escalate for step up authentication when appropriate.

The outcome here is enabling businesses to protect themselves and their customers from financial fraud.

Looking Ahead

The industry must treat device trust as the new perimeter. Passkeys are a step in the right direction, but without grounding them in verified device lineage and telecom integrity, we’re simply shifting the attack vector, not eliminating it.

For security professionals, we’re entering the next chapter in passwordless evolution: making passkeys fraud-resistant, not just passwordless.

‍