Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore critical security vulnerabilities in passkey authentication systems through this DEF CON 33 conference talk that exposes how attackers can exploit WebAuthn API calls to compromise what many consider the future of secure authentication. Learn how security researchers demonstrate the ability to proxy WebAuthn API calls to forge both passkey registration and authentication responses, using browser extensions as attack vectors while highlighting broader implications for any website susceptible to client-side script injection vulnerabilities like XSS or misconfigured widgets. Discover the underlying theoretical framework behind these attacks, examine actual exploit code, and witness live demonstrations showing successful compromises of sites that rely on passkeys without proper attestation or metadata verification—a widespread implementation pattern among major vendors. Gain insights into the security gaps that exist in current passkey implementations from Apple, Google, Microsoft and other major technology companies, understanding why these authentication methods, despite their promise to replace traditional passwords, may not be as resilient as initially believed. Understand the critical importance of proper attestation enforcement and metadata checks in WebAuthn implementations, and see firsthand the attack methodologies that reveal the hidden vulnerabilities in passkey authentication flows that most security professionals and developers never encounter in normal operations.
