Dave C - NCSC UK
Dave C is the Tech Director for Platforms Research at the UK National Cyber Security Centre. Dave started his career in cyber security consulting, working over the years in pentesting, research, forensics, blueteam, and finally strategy. Feeling the call of public service, Dave joined NCSC where he leads the teams researching commodity tech, and is overall lead for NCSC's work accelerating the UK adoption of passkeys.
Session
Passkeys are increasingly offered as a means of user authentication by companies and government services. As the exciting new thing, there are occasionally reports of passkey compromises, the majority of which are downgrade attacks rather than attacks on passkey authentication itself.
This talk discusses what passkeys do and do not intend to protect against, and then presents a threat model for passkeys and where implementers can get it wrong (and have) and thereby undermined the security goals of passkeys. It will also present attacks that are currently theoretical but may be seen in the future as attackers current techniques stop working.
So, after mapping the attacks and mitigations, what does ‘doing it right’ actually look like? In the closing section, I’ll cover the UK National Cyber Security Centre’s programme to drive secure passkey roll-out at pace across government and industry—and how the community can feed in.