EASM
The Login That Bypasses Your Passkeys: How Device-Code Phishing Went From Spy Tool to Off-the-Shelf Kit
Andrew Mason
June 15, 2026
Summary
Exploring device-code phishing as a growing threat bypassing MFA and passkeys, impacting identity surfaces.

The Login That Bypasses Your Passkeys: How Device-Code Phishing Went From Spy Tool to Off-the-Shelf Kit

Introduction

In the dynamic realm of cybersecurity, threats continuously evolve, challenging even the most robust defences. Device-code phishing, which began as an espionage tool, has become an accessible off-the-shelf kit available to any hacker with malicious intent. This technique silently infiltrates accounts, rendering traditional security measures futile.

The Mechanics of Device-Code Phishing

Device-code phishing abuses a legitimate OAuth flow to bypass MFA entirely. By tricking users into entering a malicious device code, attackers obtain access and refresh tokens. This highlights a gap in token-level visibility, not credential hygiene.

Explore more about device flow vulnerabilities and how to mitigate them.

The Evolution from Espionage to Mass Market

Initially crafted for espionage, device-code phishing has trickled into the cybercriminal marketplace. Kits include user-friendly interfaces, making them accessible even to less tech-savvy hackers.

Read about our phishing detection solutions to understand how to detect these threats early.

The Impact on Passkey Authentication Systems

Passkey systems, while designed to be secure, are challenged by device-code phishing. Its rise illustrates flaws in device authentication components, reflecting the need for robust detection mechanisms.

Discover more about securing identity and access management.

An Analysis of Vulnerabilities

  1. Human Factor: Users often approve phishing requests, mistaking them for legitimate ones.
  2. System Weaknesses: Lack of robust detection to differentiate legitimate from malicious device authentications.
  3. Lack of Awareness: Many users remain unaware of device-code phishing techniques.

Mitigation and Future Strategies

Despite the sophisticated nature of device-code phishing, being vigilant and informed can mitigate risks.

Strengthening Defence Protocols

  • Enhanced MFA: Implement multi-layered authentication.
  • Behavioural Analytics: Utilise analytics to detect anomalies.
  • Regular Training: Continuous user education on phishing strategies.

Refer to our defense solutions for comprehensive strategies.

Leveraging Advanced Monitoring Tools

Solutions like EASM provide advanced monitoring to pre-empt potential threats.

Conclusion

As device-code phishing transitions from espionage tools to common kits, it epitomises the dynamic nature of cyber threats. Organisations must continuously assess and reinforce their security measures to adapt to this evolving landscape.

FAQs

What is device-code phishing?

Device-code phishing exploits device authentication systems, tricking victims into providing access by approving fraudulent device authentication requests. Learn more about vulnerability assessment.

How does device-code phishing bypass traditional security measures?

It targets human elements and exploits flaws in device authentication, deceiving users into approving device-code requests. Enhance understanding through our security training programs.

How can individuals protect themselves from device-code phishing?

Be cautious of unsolicited authentication requests. Use enhanced MFA, stay aware of phishing strategies, and employ behavioural analytics. Explore our comprehensive protection services.

What role can EASM play in combating device-code phishing?

EASM offers tools for monitoring and mitigating threats, identifying potential weaknesses, and proactively addressing them.

With strong token/session monitoring practices, you can ensure your organisation is resilient against these evolving threats.

Blog Categories

All
News & Releases
EASM
Security Strategies
Cybercrime
OSINT
AI Threats
Dark Web

Blog Tags

AI
Attack Surface Management
Brand Protection
Compliance
Credential Theft
Crypto Crime
Cyber War
Dark Web
Dark Web Monitoring
Data Breach
Deepfakes
Digital Identity
Domain Security
DORA
EASM
Executive Protection
Exposed Assets
Extortion
Fake Websites
GDPR
I2P
Malware
Marketplaces & Forums
OSINT
Phishing
Privacy
Ransomware
Social Media Risk
Supply Chain Risk
Telegram
Threat Intelligence
Tor
Typosquatting
Vulnerability Management
Website Takedowns
Zero Trust
Andrew Mason

Andrew is an entrepreneur and technology leader with a strong track record of building, scaling, and exiting high-growth technology businesses. He is the founder of several award-winning companies including RandomStorm, Data Protection People, RapidSpike, Pentest People, and DarkInvader, each operating at the forefront of cybersecurity, risk management, and digital resilience. Across these ventures, Andrew has consistently focused on creating commercially successful businesses grounded in deep technical capability and clear market need.

Sign Up for Your Free Account

Unlock full visibility of your external attack surface with DarkInvader’s continuous, real-time monitoring. Create your free account to discover unknown assets, detect emerging risks and stay ahead of potential threats before attackers can exploit them.

Create My Free Account

Platform Features

Asset DiscoveryAsset MonitoringVulnerability ScanningDark Web MonitoringTelegram MonitoringPeople Monitoring
Leaked CredentialsOSINT MonitoringDNS MonitoringBrand MonitoringVIP MonitoringResearch TeamGlobal Threat Intelligence
Website TakedownsNyx, AI Security ConsultantManagement ReportsThird-Party IntegrationsClient-Facing APISupplier Risk Management

Company

AboutPartnersPlansContact

Resources

Privacy PolicyFAQBlog

Platform 7D, New Station Street, Leeds,
LS1 4BT, United Kingdom

©2026 DarkInvader, All Rights Reserved