Detecting Compromise of Passkey Storage on the Cloud

Channel:
Microsoft Research
Subscribers:
351,000
Published on ● Video Link: https://www.youtube.com/watch?v=8NLhFDvde78


Duration: 0:00
252 views
11

FIDO synced passkeys address account recovery challenges by enabling users to back up their FIDO2 private signing keys to the cloud storage of passkey management services (PMS). However, it introduces a serious security risk — attackers can steal users' passkeys through breaches of PMS's cloud storage. Unfortunately, existing defenses cannot eliminate this risk without reintroducing account recovery challenges or disrupting users' daily account login routines. In this paper, we present CASPER, the first passkey breach detection framework that enables web service providers to detect the abuse of passkeys leaked from PMS for unauthorized login attempts. Our analysis shows that CASPER provides compelling detection effectiveness, even against knowledgeable attackers who strategically optimize their attacks to evade CASPER's detection. We also show how CASPER can be seamlessly integrated into the existing passkey backup, synchronization, and authentication processes, with only minimal impact on user experience, negligible performance overhead, and minimum deployment and storage complexity for the participating parties.

Speaker: Mazharul Islam (University of Wisconsin—Madison)



Other Videos By Microsoft Research


3 days agoDetecting Compromise of Passkey Storage on the Cloud
4 days agoEncrypted Access Logging for Online Accounts: Device Attributions without Device Tracking
5 days agoMicrosoft Research India - The evolution
5 days agoMicrosoft Research India - The lab culture
2025-09-24Understanding How Users Prepare for and React to Smartphone Theft
2025-09-24When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs
2025-09-24A Formal Analysis of Apple’s iMessage PQ3 Protocol
2025-09-24Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability
2025-09-24A Framework for Abusability Analysis: The Case of Passkeys in Interpersonal Threat Models
2025-09-24‘Hey mum, I dropped my phone down the toilet’: Investigating Hi Mum and Dad SMS Scams in the UK
2025-09-24Dehumanizing machines: Making sense of AI systems that seem human
2025-09-24Scalable emulation of protein equilibrium ensembles with BioEmu
2025-09-24Disrupting the AI infrastructure with MicroLEDs
2025-09-24Dion: The distributed orthonormal update revolution is here
2025-09-24Pushing boundaries of complex reasoning in small language models
2025-09-22zk-promises: Anonymous Moderation, Reputation, & Blocking from Anonymous Credentials with Callbacks
2025-09-22More is Less: Extra Features in Contactless Payments Break Security
2025-09-18Sub-Population Identification of Multi-morbidity in Sub-Saharan African Populations
2025-09-03Echoes in GenAI generations
2025-08-27Six Years of Rowhammer: Breakthroughs and Future Directions
2025-08-25Sub-Population Identification of Multi-morbidity in Sub-Saharan African Populations