How to Use This Platform

Learn how to navigate the passkey learning platform and solve challenges.

Overview

This platform allows you to analyze different passkey registration and authentication flows. The website provides a community platform for sharing, discussing, and rating various national flags. Your goal is to understand how (secure) passkeys are integrated into the registration and login processes.

Instances

The website uses isolated instances to ensure your work doesn't interfere with others:

  • By default, you are assigned to a new instance with its own isolated database and user accounts.
  • Resetting your instance:
    • Navigate to Instance Reset in the navigation bar.
    • This restores the instance to its initial default state.
  • When using multiple browser profiles:
    • Use the same instance ID across all profiles.
    • Switch to your instance ID after opening a new browser profile.
Verifiers

Verifiers control how the passkey registration and authentication flows behave:

  • Overview: All verifiers are available at /verifiers.
  • Targets: There are separate verifiers for registration and authentication flows.
  • Types: Each flow has two types of verifiers:
    • Demo verifiers: Secure implementations that demonstrate specific features or behaviors of passkeys.
    • Security verifiers: Intentionally vulnerable implementations that miss certain security checks or validations.
  • Switching verifiers: You can switch between verifiers in two ways:
    • Select from the dropdown menu on the registration or authentication pages.
    • Navigate directly via /verifiers.
Solving Security Verifiers
  • Exploit the missing security checks or validations.
  • Successful exploitation displays confetti and a special national flag.
  • Unless stated otherwise, submit the following as your solution:
    • The country of the displayed flag, e.g., "Papua New Guinea".
    • A short explanation of how you exploited the vulnerability (steps to reproduce).

Help: Each verifier includes a description of its purpose and hints for solving security challenges.

Tooling

Passkeys use custom CBOR structures and binary data formats that require specialized tools:

  • Available tools: Access our passkey analysis tools at https://passkeys.tools. You are allowed to use other tools as well. All tasks can be solved using only passkeys.tools, so there is no need to use additional tools.
  • Setup:
    • Read the information and instructions on the website carefully.
    • Follow the "Cross-Browser Mode Setup" in the "Getting Started" section to use the tool across different browser profiles.
Security Best Practices
  • Only use the tools for this exercise or other development/testing purposes.
  • DO NOT store your real production passkeys in these tools.
  • Use a separate testing-only browser that is not used for any other purposes.
  • Example: Install and use a separate nightly build of Google Chrome Canary.
Quick Links
View Verifiers
Login
Register