Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11

Domingues, Patricio; Frade, Miguel; Negrão, Miguel

http://hdl.handle.net/10400.8/9877

Use this identifier to reference this record.

Name:	Description:	Size:	Format:
2024_digital_forensic_artifacts_FIDO2_.pdf		877.53 KB	Adobe PDF	Download

Send Feedback

Authors

Domingues, Patricio

Frade, Miguel

Negrão, Miguel

Abstract(s)

FIDO2’s passkey aims to provide a passwordless authentication solution. It relies on two main protocols – WebAuthn and CTAP2 – for authentication in computer systems, relieving users from the burden of using and managing passwords. FIDO2’s passkey leverages asymmetric cryptography to create a unique public/private key pair for website authentication. While the public key is kept at the website/application, the private key is created and stored on the authentication device designated as the authenticator. The authenticator can be the computer itself – same-device signing –, or another device – cross-device signing –, such as an Android smartphone that connects to the computer through a short-range communication method (NFC, Bluetooth). Authentication is performed by the user unlocking the authenticator device. In this paper, we report on the digital forensic artifacts left on Windows 11 systems by registering and using passkeys to authenticate on websites. We show that digital artifacts are created in Windows Registry and Windows Event Log. These artifacts enable the precise dating and timing of passkey registration, as well as the usage and identification of the websites on which they have been activated and utilized. We also identify digital artifacts created when Android smartphones are registered and used as authenticators in a Windows system. This can prove useful in detecting the existence of smartphones linked to a given individual.

Description

CCS CONCEPTS: Security and privacy → Systems security; Applied computing → Evidence collection, storage and analysis.
This research was partially supported under the UIDB 04524/2020 project by FCT/MCTES and EU funds under the UIDB/EEA 50008/2020 project and the LA/P/0109/2020 project. The authors thank the anonymous reviewers for their insightful comments and suggestions.

Keywords

Digital Forensics Passkeys FIDO2 Windows 11 Windows Registry Windows Event Log

URI

http://hdl.handle.net/10400.8/9877

Citation

Domingues, P., Frade, M., & Negrão, M. (2024). Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11. In Availability, Reliability and Security (ARES 2024): The 19th International Conference on Availability, Reliability and Security, 30 July 2024 - 2 August 2024 (Issue 34). Association for Computing Machinery (ACM). https://doi.org/10.1145/3664476.3664496