Name: Phishing for Passkeys - An Analysis of WebAuthn and CTAP
Start: 2026-06-26T11:30:00+0200
End: 2026-06-26T12:15:00+0200

Phishing for Passkeys - An Analysis of WebAuthn and CTAP

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall D (Level -2)

WebAuthn was supposed to replace passwords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When Passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach more widespread adoption.

This presentation discusses the security of Passkeys against phishing attacks. It explains the possibilities for an attacker to gain access to accounts secured with Passkeys using spear phishing, and what conditions must be met for this to happen. It also practically demonstrates such an attack and discusses countermeasures.

Participants will learn which WebAuthn security principles still apply to Passkeys and which do not. They will learn why Passkeys are no longer completely phishing-proof and how they can evaluate this consideration for their own use of Passkeys.

Speakers

Michael Kuckuk

Fullstack Developer, inovex

As a fullstack software developer, Michael's main expertise lies in simple software development. But since he is well aware that the happy path is the easy part, he's always had an interest for security and he's always been very security- and privacy-aware in his work. He enjoys developing... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

OWASP Global AppSec EU 2026 Vienna

Michael Kuckuk

Get help with the event

OWASP Global AppSec EU 2026 Vienna

Michael Kuckuk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Get help with the event