Tue, Apr 23, 2024

PasskeyScanner: A Kroll BurpSuite Extension for Passkeys

Download Kroll PasskeyScanner Extension

Despite being a globally accepted security measure, passwords have associated issues that have led to countless breaches and compromised systems over many years of not-so-secure authentication technology. Yet passwords remain the dominant form of authentication because more secure options have not been accessible to all users. Passwords have evolved into the security risk they are today because, as the security requirements for passwords have increased, usability has decreased. Less technically capable users are more vulnerable because good password hygiene requires technical capacity and effort to maintain. Users are not to blame; this is a technology problem that can only be solved by technology. The evolution of password usage follows a repeating cycle that is failing both users and technology administrators.

While password practices have become more complex over time to defend against attackers, they demand too much of users and increase potential security risks.

Passkey Scanner

Figure 1: The password usage failure cycle.

User Challenges

Attacker Wins

Defender Effort

Users have to remember passwords, so they choose something easy to remember, like their favorite sports team or the word “password.”

Easy-to-remember passwords are also easy to guess via dictionary wordlists.

Password complexity became necessary, requiring systems to ensure that passwords contain special characters, numbers and sufficient length.

Password rotation is introduced to reduce the longevity of compromised passwords.

Complexity requirements make passwords even harder to remember, so users memorize a few strong passwords and reuse them.

Reused passwords are common, and database leaks are also common due to weak passwords. Credential stuffing with lists of previously breached credentials is effective for attackers.

Passwords must be checked against breach lists. Rate limiting, account lockout and risk profiling must be implemented.

Users must use password managers and ensure any reused passwords are updated.

Phishing and social engineering become more popular with attackers since they continue to be effective.

Multi-factor authentication is implemented.

What Are Passkeys?

Passkeys use public key cryptography to authenticate users. This allows the secret key to be stored on a user’s mobile or laptop device without being exposed to another party. Access to the secret key involves verifying a user, typically by a biometric, such as fingerprint or faceprint. After verification, the device uses a cryptographic protocol to authenticate the user.

Passkeys have a number of specific properties that are critical to achieving this standard of security:

  • They are built on established standards scrutinized by security professionals and attackers, providing full security assurance.
  • They have been adopted by the major platform vendors (Apple, Google and Microsoft), which provide backup and cross-device synchronization. If a user loses their device, they don’t lose access to all their accounts. Adoption by these vendors also means that most modern consumer devices will have access to Passkeys.
  • The use of public key cryptography means that services hold a user’s public key rather than a shared secret, such as a password. If a service is breached, the user is not at risk of having their credentials stolen and leaked.
  • Passkeys bind public keys to website domains, so only the site that issued the credential can use it to authenticate. This makes Passkeys extremely resistant to phishing.
  • Users are presented with a simple dialog that enables them to choose their account and then asks them for a (biometric) verification.

Passkey Scanner


Figure 2: The Passkey dialog allows the user to choose an account and complete Face ID verification

Core Passkey Technology

Passkey technology has three facets that are all related and are often confused with each other:

  • Web Authentication (WebAuthN) is the communication specification (or API) used to perform the authentication ceremony. It defines the messages passed between web servers (also known as Relaying Parties), web scripts running in the browser and calls to the browser APIs. The browser APIs expose two functions that are WebAuthN:
    • Authenticate (navigator.credentials.get()) — used to authenticate the user.
    • Create Passkey (navigator.credentials.create()) — used to create a new Passkey credential for a user.
  • FIDO2 is the full set of authentication technologies. It includes WebAuthN and continues deeper into the technology stack to include how the browser or operating system selects and communicates with any available authenticators
  • Passkeys are the implementation of FIDO2 by the major platform vendors, agreed upon by the FIDO alliance. The agreement to implement FIDO2 on these platforms allows for strong cross-platform authentication, which is available (or will soon be available) for most users. Passkeys also includes account-based recovery and credential syncing across devices, eliminating significant usability challenges that limited prior technologies.

“Passkeys” is preferred over “FIDO2” when the terms can be interchanged because the adoption by the major vendors is a key to Passkey’s success, and the term is more user-friendly.

Introducing Kroll PasskeyScanner

Passkeys have been adopted by the major platform vendors, incentivizing application developers to build Passkeys into their applications. Vendors such as Adobe, Amazon, Best Buy, GitHub, Google, PayPal, Shopify and TikTok have already deployed Passkey authentication.

Kroll’s Offensive Security team provides penetration testing and other offensive security assessments to clients globally. To ensure that we are equipped to properly assess Passkeys, we have developed proprietary methodology and tooling.

As part of this, we created a BurpSuite extension called PasskeyScanner that helps our security consultants evaluate implementations of Passkeys. This plugin is freely available in the Portswigger Bapp Store to contribute some of our efforts to the community. We also presented a talk at a HackFest event where we released this plugin and gave a more detailed overview of the Passkeys attack surface.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.