TLDR
Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys.

Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure.
Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong



Source: TheHackerNews
Source Link: https://thehackernews.com/2025/10/how-attackers-bypass-synced-passkeys.html