PasskeyScanner: A Kroll BurpSuite Extension for Passkeys

What Are Passkeys?

Passkeys use public key cryptography to authenticate users. This allows the secret key to be stored on a user’s mobile or laptop device without being exposed to another party. Access to the secret key involves verifying a user, typically by a biometric, such as fingerprint or faceprint. After verification, the device uses a cryptographic protocol to authenticate the user.

Passkeys have a number of specific properties that are critical to achieving this standard of security:

• They are built on established standards scrutinized by security professionals and attackers, providing full security assurance.
• They have been adopted by the major platform vendors (Apple, Google and Microsoft), which provide backup and cross-device synchronization. If a user loses their device, they don’t lose access to all their accounts. Adoption by these vendors also means that most modern consumer devices will have access to Passkeys.
• The use of public key cryptography means that services hold a user’s public key rather than a shared secret, such as a password. If a service is breached, the user is not at risk of having their credentials stolen and leaked.
• Passkeys bind public keys to website domains, so only the site that issued the credential can use it to authenticate. This makes Passkeys extremely resistant to phishing.
• Users are presented with a simple dialog that enables them to choose their account and then asks them for a (biometric) verification.

Figure 2: The Passkey dialog allows the user to choose an account and complete Face ID verification

Core Passkey Technology

Passkey technology has three facets that are all related and are often confused with each other:

• Web Authentication (WebAuthN) is the communication specification (or API) used to perform the authentication ceremony. It defines the messages passed between web servers (also known as Relaying Parties), web scripts running in the browser and calls to the browser APIs. The browser APIs expose two functions that are WebAuthN:
  • Authenticate (navigator.credentials.get()) — used to authenticate the user.
  • Create Passkey (navigator.credentials.create()) — used to create a new Passkey credential for a user.
• FIDO2 is the full set of authentication technologies. It includes WebAuthN and continues deeper into the technology stack to include how the browser or operating system selects and communicates with any available authenticators
• Passkeys are the implementation of FIDO2 by the major platform vendors, agreed upon by the FIDO alliance. The agreement to implement FIDO2 on these platforms allows for strong cross-platform authentication, which is available (or will soon be available) for most users. Passkeys also includes account-based recovery and credential syncing across devices, eliminating significant usability challenges that limited prior technologies.

“Passkeys” is preferred over “FIDO2” when the terms can be interchanged because the adoption by the major vendors is a key to Passkey’s success, and the term is more user-friendly.

Introducing Kroll PasskeyScanner

Passkeys have been adopted by the major platform vendors, incentivizing application developers to build Passkeys into their applications. Vendors such as Adobe, Amazon, Best Buy, GitHub, Google, PayPal, Shopify and TikTok have already deployed Passkey authentication.

Kroll’s Offensive Security team provides penetration testing and other offensive security assessments to clients globally. To ensure that we are equipped to properly assess Passkeys, we have developed proprietary methodology and tooling.

As part of this, we created a BurpSuite extension called PasskeyScanner that helps our security consultants evaluate implementations of Passkeys. This plugin is freely available in the Portswigger Bapp Store to contribute some of our efforts to the community. We also presented a talk at a HackFest event where we released this plugin and gave a more detailed overview of the Passkeys attack surface.