Forging Passkeys: Exploiting the FIDO2/WebAuthn Attack Surface
This article delves into the security of FIDO2 passkeys. The author reverse-engineered commercial hardware keys and platform authenticators, building a software-only authenticator that mimics a FIDO2 device without kernel drivers. This allowed forging and replaying passkey signatures for headless logins. The process detailed includes capturing real-world traffic, decoding HID handshakes, verifying attestation data, building a software CTAP2 engine, and exploiting Chrome's built-in virtual authenticator. The author successfully logged in without a real security key, highlighting vulnerabilities and proposing mitigations like mandatory sign-counter enforcement, CDP permission restrictions, and relying-party-side checks to enhance passkey security.