Sign up to save your podcasts
Or
Share Pentesting Passkeys (WHY2025)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Pentesting Passkeys (WHY2025)
Passkeys are a new way to log in without passwords. They solve a lot of the traditional security risks associated with passwords. But passkeys are only secure if implemented well. When implemented incorrectly, they lead to new attack vectors that hackers can exploit.
In this talk, we will first study the protocol behind passkeys, called Webauthn. We will then look at some common implementation mistakes, and how we can exploit them. Next, we will present a methodology to carry out pentests on Webauthn implementations, and finally we discuss some vulnerabilities that we detected (and disclosed!) in various web applications.
This talk is based on joint research with Peizhou Chen (University of Twente).
Licensed to the public under https://creativecommons.org/licenses/by/4.0/
about this event: https://program.why2025.org/why2025/talk/WD99DB/
View all episodes
Passkeys are a new way to log in without passwords. They solve a lot of the traditional security risks associated with passwords. But passkeys are only secure if implemented well. When implemented incorrectly, they lead to new attack vectors that hackers can exploit.
In this talk, we will first study the protocol behind passkeys, called Webauthn. We will then look at some common implementation mistakes, and how we can exploit them. Next, we will present a methodology to carry out pentests on Webauthn implementations, and finally we discuss some vulnerabilities that we detected (and disclosed!) in various web applications.
This talk is based on joint research with Peizhou Chen (University of Twente).
Licensed to the public under https://creativecommons.org/licenses/by/4.0/
about this event: https://program.why2025.org/why2025/talk/WD99DB/