Techly NewsGet the app

Get the latest tech news

Breaking WebAuthn, FIDO2, and Forging Passkeys


Passwords are dying and passkeys are taking over. In this post we tear apart WebAuthn and build our own software FIDO2 authenticator from scratch.

By the end we'll have a working PoC: a cross-platform command-line tool that registers a fake passkey and logs you in without touching a real security key, and a clear understanding of which scenarios make this an interesting threat model! The moment you expose the DevTools Protocol (CDP) over a WebSocket you can script that stack, invent authenticators out of thin air, pre-seed them with arbitrary PKCS#8 keys and crucially flip every UX safeguard Chrome normally hides behind. SiteRegistrationAuthenticationObservationGoogle (accounts.google.com) PassFail Registration succeeds (Google happily parses the fake attestation) but the subsequent assertion is rejected – they compare our UP/UV/sign-count triplet against server-stored expectations and detect that sign-count never increments.Microsoft (login.microsoftonline.com) Fail n/aThe RP enforces requireResidentKey=false and refuses our rk=true flag.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of FIDO2

FIDO2

Photo of breaking webauthn

breaking webauthn

Photo of forging passkeys

forging passkeys

Related news:

News photo

Google released first quantum-resilient FIDO2 key implementation

« Gemini Robotics On-Device brings AI to local robotic devices
New Firefox Add-On Policies »