Def CON Debate Erupts Over SquareX Claim Browser Add-Ons Threaten Passkeys

Cyber-security startup SquareX told the DEF CON 33 conference on 28 August that passkeys—the FIDO-based, password-free login system now enabled on an estimated 15 billion accounts—can be hijacked if a user’s browser is laced with a malicious extension. The researchers said an attacker can intercept the registration flow, substitute a key pair the attacker controls and either gain access to new accounts or force users to re-enrol under the attacker’s key, potentially exposing banking, e-commerce and enterprise SaaS platforms. The disclosure was met with immediate push-back from other security specialists. Ars Technica’s Dan Goodin called the work “specious,” arguing that any scheme fails once the endpoint has already been compromised and that SquareX’s attack lies outside the FIDO threat model. Independent experts said the presentation appeared to serve as a marketing pitch for the company’s browser-security tools rather than evidence of a flaw in the passkey standard itself. The exchange highlights a growing debate as companies accelerate the switch from passwords to passkeys. While the FIDO model eliminates phishing and database-breach risks, critics note that browsers remain a single point of failure if extensions or scripts are manipulated. Organisations adopting passkeys are being urged to harden browser environments and vet add-ons as part of their authentication strategy.