Google Authenticator’s Passkey Sync Introduces New Cloud-Based Attack Surfaces
Security researchers have identified potential vulnerabilities in Google Authenticator’s passwordless authentication system, which combines hardware security with cloud-based key management. The hybrid model, designed for seamless cross-device synchronization, introduces previously unexplored attack vectors that could allow threat actors to bypass authentication.
Google’s passkey ecosystem relies on an undocumented cloud component hosted at enclave.ua5v.com, which handles cryptographic operations and syncs passkeys across macOS, Windows, Linux, and ChromeOS devices. During initial setup, Chrome initiates a background onboarding process, registering keys with the cloud authenticator and generating a Security Domain Secret (SDS) a master key encrypting all synced passkeys and a recovery PIN.
Once a device joins the security domain, passkey creation involves encrypted exchanges via WebSockets and the Noise Protocol framework. The cloud authenticator decrypts the SDS, generates a new passkey, encrypts it, and sends it back to the device, where it is uploaded to Chrome Sync for distribution across trusted devices.
While this design enhances usability, Palo Alto Networks researchers warn that it also creates risks. If attackers compromise communication channels or exploit cloud-based weaknesses, they could impersonate synced devices, perform valid passkey authentications, and gain unauthorized access to accounts. The findings highlight the need for security teams to monitor cloud identity infrastructure for anomalous patterns and misconfigurations.
Source: https://cyberpress.org/google-authenticator-passkey-vulnerability/
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1774441831",
"linkid": "google",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Google Authenticator '
'passkey synchronization',
'industry': 'Information Technology',
'location': 'Global',
'name': 'Google',
'size': 'Large Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Cloud-based key management, WebSockets, Noise Protocol '
'framework',
'data_breach': {'data_encryption': 'Yes (passkeys and SDS are encrypted)',
'sensitivity_of_data': 'High (authentication credentials)',
'type_of_data_compromised': 'Passkeys, Security Domain Secret '
'(SDS), recovery PIN'},
'description': 'Security researchers have identified potential '
'vulnerabilities in Google Authenticator’s passwordless '
'authentication system, which combines hardware security with '
'cloud-based key management. The hybrid model introduces '
'previously unexplored attack vectors that could allow threat '
'actors to bypass authentication. The cloud component handles '
'cryptographic operations and syncs passkeys across devices, '
'but weaknesses in communication channels or cloud '
'infrastructure could enable attackers to impersonate synced '
'devices and gain unauthorized access.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'authentication bypass risks',
'identity_theft_risk': 'High (if passkeys are compromised)',
'operational_impact': 'Potential unauthorized access to accounts '
'using passkeys',
'systems_affected': 'Google Authenticator passkey synchronization '
'across macOS, Windows, Linux, and ChromeOS '
'devices'},
'lessons_learned': 'Cloud-based passkey synchronization introduces new attack '
'surfaces that require enhanced monitoring and security '
'measures.',
'post_incident_analysis': {'root_causes': 'Undocumented cloud component '
'(enclave.ua5v.com) handling '
'cryptographic operations and '
'passkey synchronization introduces '
'potential vulnerabilities in '
'communication channels and cloud '
'infrastructure.'},
'recommendations': 'Security teams should monitor cloud identity '
'infrastructure for anomalous patterns and '
'misconfigurations. Users should ensure secure '
'communication channels and consider additional '
'authentication layers.',
'references': [{'source': 'Palo Alto Networks Research'}],
'response': {'enhanced_monitoring': 'Security teams advised to monitor cloud '
'identity infrastructure for anomalous '
'patterns and misconfigurations'},
'title': 'Google Authenticator’s Passkey Sync Introduces New Cloud-Based '
'Attack Surfaces',
'type': 'Vulnerability Disclosure',
'vulnerability_exploited': 'Potential compromise of communication channels or '
'cloud-based weaknesses in passkey synchronization'}