Black Hat USA 26

I will be presenting my latest research Pass-the-Passkey Family of Attacks at Black Hat USA 26 in Las Vegas, August 1–6, 2026.

Passkeys are slowly but steadily becoming the norm – and our novel research has shown that several real-world implementations are vulnerable to attacks fundamentally similar to Pass-the-Hash and NTLM Relay. We call this category Pass-the-Passkey.

In the session I will demonstrate:

  • A Passkey implementation in a major cloud service that is vulnerable to the very attacks it was designed to prevent.
  • Past YubiKey signatures stored in cleartext and readable by authenticated unprivileged users – even remote ones.
  • Impersonation of privileged identities while bypassing phishing-resistant MFA enforcement and staying invisible to popular XDR solutions.
  • Passkey phishing, tampering, spoofing, fuzzing, and prompt-flooding techniques – some executable from compromised terminal hosts or VMs, demonstrated against a popular C2 framework.

The WebAuthn specification mandates a 22-step Passkey validation process involving non-trivial cryptography and transactional processing, so making a mistake while implementing the spec is easy – even for companies that co-authored the standard. By open-sourcing our tooling, we aim to help other penetration testers discover many more vulnerabilities stemming from non-compliant Passkey verification.

Also check out the Black Hat Briefings talks and Arsenal presentations of my colleagues from SpecterOps.

See you in Las Vegas!