WebAuthn API hijacking + passkey downgrade TL;DR: Browser-extension or XSS hijack of navigator.credentials.* plus UA-spoofed AiTM forces a passkey login to fall back to OTP/SMS. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://labs.sqrx.com/passkeys-pwned-turning-webauth-against-itself-0dbddb7ade1a