Forging Passkeys: Exploring the FIDO2 / WebAuthn Attack SurfaceFri Jun 20 2025authored by vmfuncIntroduction Passwords are dying—slowly, awkwardly, and not without a fight. Large parts of the internet are already nudging users toward "passkeys", the marketing-friendly name for FIDO2 credentials that live on your phone, security key, or TPM. In theory passkeys solve phishing and credential-stuffing in one swoop. In practice... they might introduce a shiny new attack surface: A complex binary protocol (CTAP2) speaking over USB-HID, NFC and BLE. JSON-ish CBOR blobs ("COSE" objects) glued together with bespoke signature schemes. A browser API (WebAuthn) juggling credential IDs, transports, resident keys, UV / UP semantics and platform quirks. Plenty of room for mistakes! Or for carefully crafted tooling that bends the spec in useful ways :3 Today, we will: Tear apart a commercial hardware key and a "platform" authenticator to see what actually gets signed. Build a software authenticator that impersonates a FIDO2 device over USB-HID. No kernel drivers, only usermode code. Forge and replay passkey signatures to automate headless logins on sites that "require" WebAuthn. Explore the security boundaries. What stops us from cloning credentials? How do Apple & Google lock down key material? Where do browser mitigations kick in? By the end we'll have a working PoC: a cross-platform command-line tool that registers a fake passkey and logs you in without touching a real security key, and a clear understanding of which scenarios make this an interesting threat model! Sound fun? Let's plug in a key and start sniffing packets. Quick-Start Overview Below is the 30-second tour of the entire project. Treat it as a table of contents you can mentally pin while reading the deep-dives that follow. Sniff raw CTAP2 traffic with Wireshark and a tiny Python filter. Decode every CBOR/COSE field and locally verify Yubico's packed attestation. Re-implement the CTAP2 state-machine in pure Rust and...
First seen: 2025-06-24 16:12
Last seen: 2025-06-24 17:12