Alex is the Technical Director at Kroll's Offensive Security - Cyber Risk group. After 7 years of hands-on penetration testing, Alex is responsible for research and development of tools, techniques, skills and methodologies for the team of Kroll's pen testers.
You Won’t Own Passwords, and You’ll Like It
Passkeys are the future of authentication. Moving beyond passwords to Passkeys and WebAuthN provides a significant security upgrade for end users. But what are penetration testers that have relied on weak passwords to do? In this talk I will explore the attack surface of Passkeys and identify the viable paths to help pentesters identify vulnerabilities and achieve account takeovers. A new BurpSuite plugin will also be dropped to automate the tricky parsing of Passkey objects and identify vulnerabilities in Passkey implementations.