The State of Passkeys: Studying the Adoption and Security of Passkeys on the Web

Passkeys provide a secure and phishing-resistant authentication method based on FIDO2 and WebAuthn. They have recently gained popularity, with an increasing number of websites adopting them. Nevertheless, a comprehensive security analysis that evaluates such websites at scale has not been fully addressed. We present PASSKEYS-RADAR, a continuously updated dataset that tracks the deployment of passkeys on the Internet since 2021. To build this dataset, we aggregated diverse sources, including community directories, Tranco 1M, CrUX 18M, and historic Internet archive data. We analyzed the collected data of 872 passkey-enabled websites and shed light on how passkeys are implemented and managed. We identify major differences in how websites allow users to add or delete passkeys and find that websites request authenticators to use deprecated cryptographic algorithms. To perform a comprehensive security evaluation of passkeyenabled websites, we developed PASSKEYS-ATTACKER. The tool allows for precise manipulation of WebAuthn messages at every step of the protocol and integrates 15 attack types of which 10 were not covered in previous work. Among them, 2 attack types have critical CVSS scores. We discovered them on 18 out of 103 evaluated websites. These attacks take over user accounts, delete their passkeys, or lock them out of their accounts. Nearly half of the tested sites (53) were vulnerable to at least one attack with a high CVSS score, exposing users to threats such as phishing and session fixation. User Relying Party Client Authenticator Relying Party " Register passkey" creationOptions = rp id , rp name , user id , user name , challenge Call API: creationOptions Request Attestation: hash(clientData), rp id&name , user id&name