Breaking WebAuthn, FIDO2, and Forging PasskeysFri Jun 20 2025authored by vmfuncIntroduction Passwords are dying—slowly, awkwardly, and not without a fight. Large parts of the internet are already nudging users toward "passkeys", the marketing-friendly name for FIDO2 credentials that live on your phone, security key, or TPM. In theory passkeys solve phishing and credential-stuffing in one swoop. In practice... they might introduce a shiny new attack surface: A complex binary protocol (CTAP2) sp...