Alaa Daffalla and Arkaprabha Bhattacharya, Cornell University; Jacob Wilder, Independent Researcher; Rahul Chatterjee, University of Wisconsin—Madison; Nicola Dell, Cornell Tech; Rosanna Bellini, New York University; Thomas Ristenpart, Cornell Tech
The recent rollout of passkeys by hundreds of web services online is the largest attempt yet to achieve the goal of passwordless authentication. However, new authentication mechanisms can often overlook the unique threats faced by at-risk users, such as survivors of intimate partner violence, human trafficking, and elder abuse. Such users face interpersonal threats: adversaries who routinely have physical access to devices and either know or can compel disclosure of passwords or PINs. The extent to which passkeys enable or mitigate such interpersonal threats has not yet been explored. We perform the first analysis of passkeys in interpersonal threat models. To do so, we introduce an abusability analysis framework to help practitioners and researchers identify ways in which new features can be exploited in interpersonal threat models. We then apply our framework to the setting of passkeys, ultimately investigating 19 passkey-supporting services. We identify a variety of abuse vectors that allow adversaries to use passkeys to cause harm in interpersonal settings. In the most egregious cases, flawed implementations of major passkey-supporting services allow ongoing illicit adversarial access with no way for a victim to restore security of their account. We also discover abuse vectors that prevent users from accessing their accounts or that help attackers emotionally manipulate (gaslight) users.
