Passkeys Pwned: Turning WebAuthn Against Itself

Name: Passkeys Pwned: Turning WebAuthn Against Itself
Description: Passkeys are widely positioned as the successor to passwords — phishing-resistant, cryptographically bound to origins, and immune to replay attacks. Google, Apple, Microsoft, and major enterprise plat

Shourya Pratap Singh, Jonny Lin, Daniel Seetoh

DEF CON 33 · Day 2 · Main Stage

Passkeys are widely positioned as the successor to passwords — phishing-resistant, cryptographically bound to origins, and immune to replay attacks. Google, Apple, Microsoft, and major enterprise plat

AI review

Square X maps the attack surface of passkeys at the browser mediation layer, demonstrating that WebAuthn's cryptographic guarantees dissolve when a malicious extension can override navigator.credentials API calls.

Watch on YouTube