[webauthn] Exploring human-verification layers for endpoint-compromise scenarios in passkey deployments (#2396) from Aniket via GitHub on 2026-03-15 (public-webauthn@w3.org from March 2026)

From: Aniket via GitHub <noreply@w3.org>
Date: Sun, 15 Mar 2026 06:27:48 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-4077730121-1773556065-noreply@w3.org>

aniketd1 has just created a new issue for https://github.com/w3c/webauthn:

== Exploring human-verification layers for endpoint-compromise scenarios in passkey deployments ==
Passkeys provide phishing-resistant authentication and significantly improve security compared to traditional password-based systems.

I have been exploring threat scenarios where the endpoint device itself may be compromised (for example RAT malware, remote session abuse, or malware suppressing notifications). In such situations the attacker may not attempt to break authentication itself but instead attempt to abuse an already authenticated session or attempt device enrollment through recovery mechanisms.

In addition, attackers often combine techniques such as phishing or credential stuffing to obtain access to related accounts (for example email accounts) that may be involved in account recovery or device enrollment flows.

To address such scenarios, I am exploring the introduction of a human-verification layer during high-risk actions (for example a visual password challenge) that could help mitigate automated abuse when endpoint compromise is suspected.

The intention is not to replace passkeys or existing authenticators, but to explore complementary protections for situations where the device environment cannot be fully trusted.

I am sharing this concept with the WebAuthn community as a potential complementary mechanism for discussion in endpoint-compromise scenarios.

For additional context, please see the published paper:
Deshpande, A. (2026). Neutralizing RAT-Assisted Passkey Hijacking via the Visual Password System (VPS). Indian Journal of Computer Science and Technology (INDJCST). https://doi.org/10.59256/indjcst.20260501025

For context, I have attached a simplified diagram illustrating the scenario.
[Diagram Of Visual password in the Loop.pdf](https://github.com/user-attachments/files/26002047/Diagram.Of.Visual.password.in.the.Loop.pdf)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2396 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 15 March 2026 06:27:50 UTC