Session Abstract: Passkeys are promoted as the password killer to minimize phishing, password reuse, and customer frustrations with passwords. While passkeys create significant usability and security improvements over passwords, we are still early in the passkey journey. In this talk, we’ll explore how passkeys require users and services to think differently about managing credentials, and the new risks that arise with passkeys, enabling attendees to threat model their passkey deployment scenarios.
Specific issues we’ll cover include:
• Breaking out of the one credential per relying party (RP) paradigm of credential management for users and RPs
• Modeling the impact of passkeys on account recovery
• Shared passwords vs. shared passkeys
• Differential security controls between passkey providers including authentication, account recovery, passkey generation, synchronization, and storage at rest