A Framework for Abusability Analysis: The Case of Passkeys in Interpersonal Threat Models

Channel:
Microsoft Research
Subscribers:
351,000
Published on ● Video Link: https://www.youtube.com/watch?v=TjB-KD62WXc


Duration: 0:00
113 views
5

The recent rollout of passkeys by hundreds of web services online is the largest attempt yet to achieve the goal of passwordless authentication. However, new authentication mechanisms can often overlook the unique threats faced by at-risk users, such as survivors of intimate partner violence, human trafficking, and elder abuse. Such users face interpersonal threats: adversaries who routinely have physical access to devices and either know or can compel disclosure of passwords or PINs. The extent to which passkeys enable or mitigate such interpersonal threats has not yet been explored. We perform the first analysis of passkeys in interpersonal threat models. To do so, we introduce an abusability analysis framework to help practitioners and researchers identify ways in which new features can be exploited in interpersonal threat models. We then apply our framework to the setting of passkeys, ultimately investigating 19 passkey-supporting services. We identify a variety of abuse vectors that allow adversaries to use passkeys to cause harm in interpersonal settings. In the most egregious cases, flawed implementations of major passkey-supporting services allow ongoing illicit adversarial access with no way for a victim to restore security of their account. We also discover abuse vectors that prevent users from accessing their accounts or that help attackers emotionally manipulate (gaslight) users.

Speaker: Alaa Daffalla (Cornell University)



Other Videos By Microsoft Research


2025-09-24Understanding How Users Prepare for and React to Smartphone Theft
2025-09-24When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs
2025-09-24A Formal Analysis of Apple’s iMessage PQ3 Protocol
2025-09-24Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability
2025-09-24A Framework for Abusability Analysis: The Case of Passkeys in Interpersonal Threat Models
2025-09-24‘Hey mum, I dropped my phone down the toilet’: Investigating Hi Mum and Dad SMS Scams in the UK
2025-09-24Dehumanizing machines: Making sense of AI systems that seem human
2025-09-24Scalable emulation of protein equilibrium ensembles with BioEmu
2025-09-24Disrupting the AI infrastructure with MicroLEDs
2025-09-24Dion: The distributed orthonormal update revolution is here
2025-09-24Pushing boundaries of complex reasoning in small language models
2025-09-22zk-promises: Anonymous Moderation, Reputation, & Blocking from Anonymous Credentials with Callbacks
2025-09-22More is Less: Extra Features in Contactless Payments Break Security
2025-09-18Sub-Population Identification of Multi-morbidity in Sub-Saharan African Populations
2025-09-03Echoes in GenAI generations
2025-08-27Six Years of Rowhammer: Breakthroughs and Future Directions
2025-08-25Sub-Population Identification of Multi-morbidity in Sub-Saharan African Populations
2025-08-19MindJourney: Test-Time Scaling with World Models for Spatial Reasoning
2025-08-11Medical Bayesian Kiosk (2010)
2025-08-07Reimagining healthcare delivery and public health with AI
2025-08-05VeriTrail: Detect hallucination and trace provenance in AI workflows