Authentication is crucial to IT security, and passwords - despite their well-known weaknesses - are still the predominant method. Large online services like Google, Apple, and Microsoft are pushing password-less authentication based on FIDO2. A recent extension of FIDO2 are the so-called passkeys, which allow synchronization of credentials between different devices. This increases usability and is why more and more services support password-less authentication [1]. However, it also introduces new attack possibilities. Therefore, this thesis shall analyze the security of passkeys. Exemplary research tasks are:
- Analysis and comparison of different synchronization mechanisms on different platforms, e.g., Google, Apple, Bulwark [2]
- Discover potential social engineering attack vector
- Develop improved synchronization focussing on user interaction
[1] https://passkeys.directory/
[2] https://bulwark.id/