Passkeys in Interpersonal Threat Models: Abusability Analysis of Early Deployments

These are the UI stepthrough protocols accompanying our paper: "Passkeys in Interpersonal Threat Models: Abusability Analysis of Early Deployments". 

We compile all stepthroughs in multiple Excel sheets corresponding to the "abuse vectors" mentioned in our paper. Each Excel sheet contains a Readme file clarifying the client-side configurations and a high-level description of what the tasks assigned to the analyst were in order to realize an abuse vector and carry out an attack. For the gaslighting abuse vector, please refer to our paper where we include a summary of all account security interfaces (ASIs) across all the services studied and their spoofability (Figure 4). Each row in the sheet corresponds to a service and all interfaces shown are that of the service. We only include services for which an abuse vector applies. For example, the adversarial passkeys abuse vector requires that a service supports multiple passkeys per user account, thus we exclude all services for which only a single passkey per account is supported.