2025-12-13 –, Clappy Monkey Track
Passkeys are increasingly offered as a means of user authentication by companies and government services. As the exciting new thing, there are occasionally reports of passkey compromises, the majority of which are downgrade attacks rather than attacks on passkey authentication itself.
This talk discusses what passkeys do and do not intend to protect against, and then presents a threat model for passkeys and where implementers can get it wrong (and have) and thereby undermined the security goals of passkeys. It will also present attacks that are currently theoretical but may be seen in the future as attackers current techniques stop working.
So, after mapping the attacks and mitigations, what does ‘doing it right’ actually look like? In the closing section, I’ll cover the UK National Cyber Security Centre’s programme to drive secure passkey roll-out at pace across government and industry—and how the community can feed in.
This will be a reasonably technical talk that starts by setting up the need for a move away from passwords using data from NCSC and others (hopefully including a release of new stats). A large portion of the talk will go through the threat model for passkeys, mapping existing attacks to it and hypothesising and demonstrating attacks that haven't been seen yet, but could be as passkeys become more popular, and start frustrating existing attacker tradecraft.
I will then spend the last part of the talk describing the work NCSC is doing on passkeys to accelerate their adoption, and how people can get involved.
Dave C is the Tech Director for Platforms Research at the UK National Cyber Security Centre. Dave started his career in cyber security consulting, working over the years in pentesting, research, forensics, blueteam, and finally strategy. Feeling the call of public service, Dave joined NCSC where he leads the teams researching commodity tech, and is overall lead for NCSC's work accelerating the UK adoption of passkeys.