HiPass: Hijacking CTAP in Passkey Authentication
Passkeys are designed to enhance the security and convenience of authentication by leveraging Fast Identity Online (FIDO) and Web Authentication (WebAuthn) protocols and utilizing credential information stored on user devices to securely complete the authentication process. This study explores the p...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11005460/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Passkeys are designed to enhance the security and convenience of authentication by leveraging Fast Identity Online (FIDO) and Web Authentication (WebAuthn) protocols and utilizing credential information stored on user devices to securely complete the authentication process. This study explores the potential for Man-in-the-Middle (MitM) attacks during the Passkey authentication process using the Client-to-Authenticator Protocol (CTAP). We applied existing MitM attack techniques to the Passkey authentication process and analyzed the outcomes. Through this analysis, we developed a scenario in which an attacker can use the victim’s Passkey to log into the attacker’s PC and explained why such an attack is feasible. Our implementation successfully hijacked the victim’s session during the CTAP process by connecting the victim’s authenticator to the attacker’s PC via Bluetooth, thereby gaining access to the victim’s account. By demonstrating the feasibility of this attack, our study highlights the need for more robust security measures in future implementations of FIDO and WebAuthn, which constitute the foundational technologies of Passkeys. |
|---|---|
| ISSN: | 2169-3536 |