Detecting Compromise of Passkey Storage on the Cloud

  • Mazharul Islam, University of Wisconsin—Madison

FIDO synced passkeys address account recovery challenges by enabling users to back up their FIDO2 private signing keys to the cloud storage of passkey management services (PMS). However, it introduces a serious security risk — attackers can steal users’ passkeys through breaches of PMS’s cloud storage. Unfortunately, existing defenses cannot eliminate this risk without reintroducing account recovery challenges or disrupting users’ daily account login routines. In this paper, we present CASPER, the first passkey breach detection framework that enables web service providers to detect the abuse of passkeys leaked from PMS for unauthorized login attempts. Our analysis shows that CASPER provides compelling detection effectiveness, even against knowledgeable attackers who strategically optimize their attacks to evade CASPER’s detection. We also show how CASPER can be seamlessly integrated into the existing passkey backup, synchronization, and authentication processes, with only minimal impact on user experience, negligible performance overhead, and minimum deployment and storage complexity for the participating parties.

Speaker bio

Mazharul Islam is a security software engineer at Uber, working on the authentication and authorization platform. He recently earned his PhD from the University of Wisconsin–Madison under the supervision of Prof. Rahul Chatterjee, and holds a bachelor’s degree from BUET. His PhD thesis focused on safeguarding online authentication systems—such as passwords and passkeys—from various attacks. His work combines techniques from applied machine learning and cryptography to address pressing security and privacy challenges that users face today. During his PhD, Mazharul published four papers at USENIX Security, as well as papers at IEEE EuroS&P and IEEE SecDev. He was also the recipient of Computer, Data & Information Sciences (CDIS) Wang fellowship at UW-Madison.

Watch Next