Creating and sharing knowledge for telecommunications

Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11

Domingues, P. ; Frade, M. F. ; Negrão, M.

Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11, Proc SBA Research Availability, Reliability and Security ARES, Vienna, Austria, Vol. , pp. - , July, 2024.

Digital Object Identifier: 10.1145/3664476.3664496

 

Abstract
FIDO2's passkey aims to provide a passwordless authentication solution. It relies on two main protocols – WebAuthn and CTAP2 – for authentication in computer systems, relieving users from the burden of using and managing passwords. FIDO2's passkey leverages asymmetric cryptography to create a unique public/private key pair for website authentication. While the public key is kept at the website/application, the private key is created and stored on the authentication device designated as the authenticator. The authenticator can be the computer itself – same-device signing –, or another device – cross-device signing –, such as an Android smartphone that connects to the computer through a short-range communication method (NFC, Bluetooth). Authentication is performed by the user unlocking the authenticator device. In this paper, we report on the digital forensic artifacts left on Windows 11 systems by registering and using passkeys to authenticate on websites. We show that digital artifacts are created in Windows Registry and Windows Event Log. These artifacts enable the precise dating and timing of passkey registration, as well as the usage and identification of the websites on which they have been activated and utilized. We also identify digital artifacts created when Android smartphones are registered and used as authenticators in a Windows system. This can prove useful in detecting the existence of smartphones linked to a given individual.