2025-08-10 –, Brachium
Language: English
Passkeys are a new way to log in without passwords. They solve a lot of the traditional security risks associated with passwords. But passkeys are only secure if implemented well. When implemented incorrectly, they lead to new attack vectors that hackers can exploit.
In this talk, we will first study the protocol behind passkeys, called Webauthn. We will then look at some common implementation mistakes, and how we can exploit them. Next, we will present a methodology to carry out pentests on Webauthn implementations, and finally we discuss some vulnerabilities that we detected (and disclosed!) in various web applications.
This talk is based on joint research with Peizhou Chen (University of Twente).
Matthijs Melissen has been working at Computest Security for 10 years: First as a Security Specialist and Ethical Hacker, later as the Technical Lead of the Pentesting team. Prior to his role at Computest Security, he has been working as a PHP developer, as well as as an academic researcher in IT security. He received a PhD from the University of Luxembourg based on his research in fair exchange protocols.