Breaking WebAuthn, FIDO2, and Forging Passkeys
10 months ago
- #Authentication
- #WebAuthn
- #Security
- Passkeys are replacing passwords, offering phishing-resistant authentication via FIDO2 credentials stored on devices.
- Passkeys introduce a complex attack surface involving CTAP2 protocol, CBOR blobs, and WebAuthn API.
- A proof-of-concept demonstrates forging passkey signatures to automate logins without hardware security keys.
- The project involves sniffing CTAP2 traffic, decoding CBOR/COSE fields, and re-implementing CTAP2 in Rust.
- Chrome's DevTools Protocol can be exploited to create virtual authenticators, bypassing hardware requirements.
- Real-world tests show varying levels of security on major sites like Google, Microsoft, and GitHub.
- Mitigations include enforcing sign-counters, stricter CDP permissions, and relying-party-side checks.
- The research highlights the need for stronger security policies around WebAuthn and passkey implementations.