Publication
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11
| dc.contributor.author | Domingues, Patricio | |
| dc.contributor.author | Frade, Miguel | |
| dc.contributor.author | Negrão, Miguel | |
| dc.date.accessioned | 2024-08-01T11:19:44Z | |
| dc.date.available | 2024-08-01T11:19:44Z | |
| dc.date.issued | 2024-07-30 | |
| dc.date.updated | 2024-07-26T10:27:01Z | |
| dc.description | CCS CONCEPTS: Security and privacy → Systems security; Applied computing → Evidence collection, storage and analysis. | pt_PT |
| dc.description | This research was partially supported under the UIDB 04524/2020 project by FCT/MCTES and EU funds under the UIDB/EEA 50008/2020 project and the LA/P/0109/2020 project. The authors thank the anonymous reviewers for their insightful comments and suggestions. | pt_PT |
| dc.description.abstract | FIDO2’s passkey aims to provide a passwordless authentication solution. It relies on two main protocols – WebAuthn and CTAP2 – for authentication in computer systems, relieving users from the burden of using and managing passwords. FIDO2’s passkey leverages asymmetric cryptography to create a unique public/private key pair for website authentication. While the public key is kept at the website/application, the private key is created and stored on the authentication device designated as the authenticator. The authenticator can be the computer itself – same-device signing –, or another device – cross-device signing –, such as an Android smartphone that connects to the computer through a short-range communication method (NFC, Bluetooth). Authentication is performed by the user unlocking the authenticator device. In this paper, we report on the digital forensic artifacts left on Windows 11 systems by registering and using passkeys to authenticate on websites. We show that digital artifacts are created in Windows Registry and Windows Event Log. These artifacts enable the precise dating and timing of passkey registration, as well as the usage and identification of the websites on which they have been activated and utilized. We also identify digital artifacts created when Android smartphones are registered and used as authenticators in a Windows system. This can prove useful in detecting the existence of smartphones linked to a given individual. | pt_PT |
| dc.description.version | info:eu-repo/semantics/acceptedVersion | pt_PT |
| dc.identifier.citation | Domingues, P., Frade, M., & Negrão, M. (2024). Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11. In Availability, Reliability and Security (ARES 2024): The 19th International Conference on Availability, Reliability and Security, 30 July 2024 - 2 August 2024 (Issue 34). Association for Computing Machinery (ACM). https://doi.org/10.1145/3664476.3664496 | pt_PT |
| dc.identifier.doi | https://doi.org/10.1145/3664476.3664496 | pt_PT |
| dc.identifier.isbn | 979-8-4007-1718-5 | |
| dc.identifier.slug | cv-prod-4120421 | |
| dc.identifier.uri | http://hdl.handle.net/10400.8/9877 | |
| dc.language.iso | eng | pt_PT |
| dc.peerreviewed | yes | pt_PT |
| dc.publisher | Association for Computing Machinery (ACM) | pt_PT |
| dc.relation | Research Center in Informatics and Communications | |
| dc.relation | Instituto de Telecomunicações | |
| dc.relation | Institute of Telecommunications | |
| dc.relation.publisherversion | https://dl.acm.org/doi/10.1145/3664476.3664496 | pt_PT |
| dc.rights.uri | http://creativecommons.org/licenses/by/4.0/ | pt_PT |
| dc.subject | Digital Forensics | pt_PT |
| dc.subject | Passkeys | pt_PT |
| dc.subject | FIDO2 | pt_PT |
| dc.subject | Windows 11 | pt_PT |
| dc.subject | Windows Registry | pt_PT |
| dc.subject | Windows Event Log | pt_PT |
| dc.title | Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 | pt_PT |
| dc.type | conference object | |
| dspace.entity.type | Publication | |
| oaire.awardTitle | Research Center in Informatics and Communications | |
| oaire.awardTitle | Instituto de Telecomunicações | |
| oaire.awardTitle | Institute of Telecommunications | |
| oaire.awardURI | info:eu-repo/grantAgreement/FCT/6817 - DCRRNI ID/UIDB%2F04524%2F2020/PT | |
| oaire.awardURI | info:eu-repo/grantAgreement/FCT/6817 - DCRRNI ID/UIDB%2F50008%2F2020/PT | |
| oaire.awardURI | info:eu-repo/grantAgreement/FCT/6817 - DCRRNI ID/LA%2FP%2F0109%2F2020/PT | |
| oaire.citation.conferencePlace | ACM, New York, NY, USA | pt_PT |
| oaire.citation.endPage | 10 | pt_PT |
| oaire.citation.issue | 34 | pt_PT |
| oaire.citation.startPage | 1 | pt_PT |
| oaire.citation.title | Availability, Reliability and Security (ARES 2024): The 19th International Conference on Availability, Reliability and Security, July 30 - August 2, 2024, Vienna, Austria. | pt_PT |
| oaire.fundingStream | 6817 - DCRRNI ID | |
| oaire.fundingStream | 6817 - DCRRNI ID | |
| oaire.fundingStream | 6817 - DCRRNI ID | |
| person.familyName | Domingues | |
| person.familyName | Frade | |
| person.familyName | Cerdeira Negrão | |
| person.givenName | Patrício | |
| person.givenName | Miguel | |
| person.givenName | Miguel | |
| person.identifier | 1234758 | |
| person.identifier.ciencia-id | AA15-6185-C477 | |
| person.identifier.ciencia-id | A512-9B28-1CEC | |
| person.identifier.ciencia-id | 3B1A-36E2-B96B | |
| person.identifier.orcid | 0000-0002-6207-6292 | |
| person.identifier.orcid | 0000-0002-4405-7696 | |
| person.identifier.orcid | 0000-0002-6540-3164 | |
| person.identifier.rid | ABH-7711-2020 | |
| person.identifier.scopus-author-id | 13411315400 | |
| person.identifier.scopus-author-id | 24468034000 | |
| project.funder.identifier | http://doi.org/10.13039/501100001871 | |
| project.funder.identifier | http://doi.org/10.13039/501100001871 | |
| project.funder.identifier | http://doi.org/10.13039/501100001871 | |
| project.funder.name | Fundação para a Ciência e a Tecnologia | |
| project.funder.name | Fundação para a Ciência e a Tecnologia | |
| project.funder.name | Fundação para a Ciência e a Tecnologia | |
| rcaap.cv.cienciaid | A512-9B28-1CEC | Miguel Monteiro de Sousa Frade | |
| rcaap.rights | openAccess | pt_PT |
| rcaap.type | conferenceObject | pt_PT |
| relation.isAuthorOfPublication | b88ada5f-0d8b-4e55-ab0a-62aa82ea1388 | |
| relation.isAuthorOfPublication | 95a3fa7a-d37e-45e9-9acb-44c083582fea | |
| relation.isAuthorOfPublication | 27585414-d859-4dc0-9cac-72e03a4407a5 | |
| relation.isAuthorOfPublication.latestForDiscovery | 27585414-d859-4dc0-9cac-72e03a4407a5 | |
| relation.isProjectOfPublication | 67435020-fe0d-4b46-be85-59ee3c6138c7 | |
| relation.isProjectOfPublication | 0836c6a6-afd0-499e-8a16-612dd27ec1dc | |
| relation.isProjectOfPublication | 43215f6c-bfb6-4829-8e75-6096384ce6db | |
| relation.isProjectOfPublication.latestForDiscovery | 43215f6c-bfb6-4829-8e75-6096384ce6db |