Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2024 |
| Outros Autores: | , |
| Idioma: | eng |
| Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| Texto Completo: | http://hdl.handle.net/10400.8/9877 |
Resumo: | CCS CONCEPTS: Security and privacy → Systems security; Applied computing → Evidence collection, storage and analysis. |
| id |
RCAP_d6bcc72dacc596908443607bc8b8d543 |
|---|---|
| oai_identifier_str |
oai:iconline.ipleiria.pt:10400.8/9877 |
| network_acronym_str |
RCAP |
| network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository_id_str |
7160 |
| spelling |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11Digital ForensicsPasskeysFIDO2Windows 11Windows RegistryWindows Event LogCCS CONCEPTS: Security and privacy → Systems security; Applied computing → Evidence collection, storage and analysis.This research was partially supported under the UIDB 04524/2020 project by FCT/MCTES and EU funds under the UIDB/EEA 50008/2020 project and the LA/P/0109/2020 project. The authors thank the anonymous reviewers for their insightful comments and suggestions.FIDO2’s passkey aims to provide a passwordless authentication solution. It relies on two main protocols – WebAuthn and CTAP2 – for authentication in computer systems, relieving users from the burden of using and managing passwords. FIDO2’s passkey leverages asymmetric cryptography to create a unique public/private key pair for website authentication. While the public key is kept at the website/application, the private key is created and stored on the authentication device designated as the authenticator. The authenticator can be the computer itself – same-device signing –, or another device – cross-device signing –, such as an Android smartphone that connects to the computer through a short-range communication method (NFC, Bluetooth). Authentication is performed by the user unlocking the authenticator device. In this paper, we report on the digital forensic artifacts left on Windows 11 systems by registering and using passkeys to authenticate on websites. We show that digital artifacts are created in Windows Registry and Windows Event Log. These artifacts enable the precise dating and timing of passkey registration, as well as the usage and identification of the websites on which they have been activated and utilized. We also identify digital artifacts created when Android smartphones are registered and used as authenticators in a Windows system. This can prove useful in detecting the existence of smartphones linked to a given individual.Association for Computing Machinery (ACM)IC-OnlineDomingues, PatricioFrade, MiguelNegrão, Miguel2024-08-01T11:19:44Z2024-07-302024-07-26T10:27:01Z2024-07-30T00:00:00Zconference objectinfo:eu-repo/semantics/publishedVersionapplication/pdfhttp://hdl.handle.net/10400.8/9877engDomingues, P., Frade, M., & Negrão, M. (2024). Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11. In Availability, Reliability and Security (ARES 2024): The 19th International Conference on Availability, Reliability and Security, 30 July 2024 - 2 August 2024 (Issue 34). Association for Computing Machinery (ACM). https://doi.org/10.1145/3664476.3664496979-8-4007-1718-5cv-prod-4120421https://doi.org/10.1145/3664476.3664496info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-09-26T18:29:20Zoai:iconline.ipleiria.pt:10400.8/9877Portal AgregadorONGhttps://www.rcaap.pt/oai/openairemluisa.alvim@gmail.comopendoar:71602024-09-26T18:29:20Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
| dc.title.none.fl_str_mv |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| title |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| spellingShingle |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 Domingues, Patricio Digital Forensics Passkeys FIDO2 Windows 11 Windows Registry Windows Event Log |
| title_short |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| title_full |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| title_fullStr |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| title_full_unstemmed |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| title_sort |
Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11 |
| author |
Domingues, Patricio |
| author_facet |
Domingues, Patricio Frade, Miguel Negrão, Miguel |
| author_role |
author |
| author2 |
Frade, Miguel Negrão, Miguel |
| author2_role |
author author |
| dc.contributor.none.fl_str_mv |
IC-Online |
| dc.contributor.author.fl_str_mv |
Domingues, Patricio Frade, Miguel Negrão, Miguel |
| dc.subject.por.fl_str_mv |
Digital Forensics Passkeys FIDO2 Windows 11 Windows Registry Windows Event Log |
| topic |
Digital Forensics Passkeys FIDO2 Windows 11 Windows Registry Windows Event Log |
| description |
CCS CONCEPTS: Security and privacy → Systems security; Applied computing → Evidence collection, storage and analysis. |
| publishDate |
2024 |
| dc.date.none.fl_str_mv |
2024-08-01T11:19:44Z 2024-07-30 2024-07-26T10:27:01Z 2024-07-30T00:00:00Z |
| dc.type.driver.fl_str_mv |
conference object |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10400.8/9877 |
| url |
http://hdl.handle.net/10400.8/9877 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.relation.none.fl_str_mv |
Domingues, P., Frade, M., & Negrão, M. (2024). Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11. In Availability, Reliability and Security (ARES 2024): The 19th International Conference on Availability, Reliability and Security, 30 July 2024 - 2 August 2024 (Issue 34). Association for Computing Machinery (ACM). https://doi.org/10.1145/3664476.3664496 979-8-4007-1718-5 cv-prod-4120421 https://doi.org/10.1145/3664476.3664496 |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf |
| dc.publisher.none.fl_str_mv |
Association for Computing Machinery (ACM) |
| publisher.none.fl_str_mv |
Association for Computing Machinery (ACM) |
| dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
| instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| instacron_str |
RCAAP |
| institution |
RCAAP |
| reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| repository.mail.fl_str_mv |
mluisa.alvim@gmail.com |
| _version_ |
1817547305994158080 |