Are passkeys as secure as you think? - Fabian Bader
Disobey 2026 · Main Stage
In an era increasingly plagued by phishing and credential theft, passkeys have emerged as a promising, phishing-resistant alternative to traditional passwords. Fabian Bader's talk at Disobey, "Are passkeys as secure as you think?", delves into a critical examination of this technology, moving beyond the marketing hype to explore its underlying security mechanisms, potential vulnerabilities, and real-world implications. Bader, a security consultant specializing in identity at Gluconia and a Microsoft MVP, provides a comprehensive overview of passkey types, the role of attestation, and a detailed threat model across various components of the passkey ecosystem.
AI review
Bader does the work most passkey talks skip entirely: he threat-models the full stack — protocol, browser, CTAP, storage, third-party provider — and backs it up with actual PoCs instead of hand-waving at 'potential risks.' The BLE AiTM demo and the Infineon side-channel reference are exactly the kind of 'yes, but here's where it actually breaks' content this space desperately needs to counterbalance the FIDO Alliance marketing machine.