Pentesting Passkeys (WHY2025)
Chaos Computer Club - recent events feed · Matthijs Melissen
August 10, 202534m 21s
Audio is streamed directly from the publisher (cdn.media.ccc.de) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Passkeys are a new way to log in without passwords. They solve a lot of the traditional security risks associated with passwords. But passkeys are only secure if implemented well. When implemented incorrectly, they lead to new attack vectors that hackers can exploit.
In this talk, we will first study the protocol behind passkeys, called Webauthn. We will then look at some common implementation mistakes, and how we can exploit them. Next, we will present a methodology to carry out pentests on Webauthn implementations, and finally we discuss some vulnerabilities that we detected (and disclosed!) in various web applications.
This talk is based on joint research with Peizhou Chen (University of Twente).
Licensed to the public under https://creativecommons.org/licenses/by/4.0/
about this event: https://program.why2025.org/why2025/talk/WD99DB/
Topics
652025why2025HackingBrachiumwhy2025-engDay 4