Okay, but why does this even work?
Forging Passkeys: Exploring the FIDO2 / WebAuthn Attack Surface
Fri Jun 20 2025 authored by vmfunc
Introduction
Passwords are dying—slowly, awkwardly, and not without a fight. Large parts of the internet are already nudging users toward "passkeys", the marketing-friendly name for FIDO2 credentials that live on your phone, security key, or TPM.
In theory passkeys solve phishing and credential-stuffing in one swoop. In practice... they might introduce a shiny new attack surface:
A complex binary protocol ( CTAP2 ) speaking over USB-HID, NFC and BLE. JSON-ish CBOR blobs ( "COSE" objects) glued together with bespoke signature schemes. A browser API ( WebAuthn ) juggling credential IDs, transports, resident keys, UV / UP semantics and platform quirks.
Plenty of room for mistakes! Or for carefully crafted tooling that bends the spec in useful ways :3
Today, we will:
Tear apart a commercial hardware key and a "platform" authenticator to see what actually gets signed.
... continue reading