Hackfest 2023 - Back to the Future

You Won’t Own Passwords, and You’ll Like It
2023-10-13, 11:00–11:50, Track #2

Passkeys are the future of authentication. Moving beyond passwords to Passkeys and WebAuthN provides a significant security upgrade for end users. But what are penetration testers that have relied on weak passwords to do? In this talk I will explore the attack surface of Passkeys and identify the viable paths to help pentesters identify vulnerabilities and achieve account takeovers. A new BurpSuite plugin will also be dropped to automate the tricky parsing of Passkey objects and identify vulnerabilities in Passkey implementations.

1) Intro: Why Passwords Suck

The motivation for this talk is to introduce passkeys to the audience and explore the available attack surface for a penetration tester.

A quick review of the reasons passwords are difficult for users to handle and manage securely. This argument will be supported by statistics about the number of breaches caused by compromised password credentials.

Passkeys are the future of passwordless authentication because they have been adopted by Google, Microsoft and Apple, and are built into all modern consumer platforms. Passkeys will address the major security concerns of passwords with the following properties:
- Asymmetric secret sharing for breach containment.
- Phishing resistance
- Simple user experience with biometrics user verification, cross device authentication flows and recoverability.

2) What are Passkeys

How passkeys build on the WebAuthN standard leveraging UAF. Definitions of the components, their dependencies and interactions:
- Universal Authentication Framework (UAF)
- Universal Second Factor (U2F)
- Web Authentication (WebAuthN)
- Client to Authenticator Protocol (CTAP/CTAP2)
- Passkeys
How Google, Apple and Microsoft implement passkey portability and recovery based on public security architecture documents.

3) Passkey’s Attack Surface

The passkey API implements two actions “Create” and “Authenticate”. I’ll review the fields in each of these API calls and discuss its role in the protocol and how a penetration tester may be able to attack it.

4) Penetration Testing Passkeys with BurpSuite Plugin

I have developed a new BurpSuite Plugin that identifies WebAuthN/Passkeys in web traffic and scans them for vulnerabilities.
I will discuss several of the vulnerabilities including:
- Weak public key algorithms
- Sufficient entropy and randomness for challenges
- Authentication weakness for public keys
- Weak account authentication enumeration
- Domain/Sub-domain scoping
After covering the attack surface for passkeys, I’ll look at the most viable attack paths for a penetration test to achieve account takeover.

Are you releasing a tool? – Yes