This repository contains the artifacts for the paper "The State of Passkeys: Studying the Adoption and Security of Passkeys on the Web", accepted at the 35th USENIX Security Symposium 2026.
Our artifacts are organized into six main components:
| Directory | Description |
|---|---|
📡 ./radar |
Source code of the PASSKEYS-RADAR |
🔍 ./detector |
Source code for scanning well-known files |
🛠️ ./tools |
Source code of the PASSKEYS-ATTACKER |
🎓 ./learning |
Intentionally vulnerable learning platform |
💾 ./data |
Data artifacts including community directories and lists |
📊 ./notebooks |
Jupyter notebooks for analysis and figure generation |
Location: ./radar
A comprehensive tool for aggregating and analyzing passkey adoption across multiple directories and websites. The radar continuously monitors 12 different passkey directories to track adoption trends.
📖 See ./radar/README.md for setup and usage instructions.
Location: ./detector
Scans 18M CrUX domains to detect passkey-related well-known files (/.well-known/passkey_endpoints and /.well-known/webauthn).
- 📁
./detector/taskly— Parallel-execution framework with Docker orchestration (not part of our contribution) - 📁
./detector/tasks— Scanning task definitions (our contribution)
📖 See ./detector/README.md for setup instructions.
Location: ./tools
A comprehensive security testing toolkit for WebAuthn (passkey) implementations. This tool provides full emulation of both the client (browser) and authenticator layers, enabling security analysis of relying party implementations.
- 📁
./tools/frontend— Vite-based web application - 📁
./tools/backend— Express.js API server - 📁
./tools/extension— Chrome extension for WebAuthn interception
📖 See ./tools/README.md for setup and usage instructions.
Location: ./learning
An intentionally vulnerable learning platform for artifact evaluation. Covers all vulnerabilities from Table 2 in the paper and enables safe, controlled experimentation with PASSKEYS-ATTACKER.
📖 See ./learning/README.md for setup and usage instructions.
Location: ./data
Contains all generated data since 2021, including aggregated passkey directories and well-known scan results.
Location: ./notebooks
Jupyter notebooks for analyzing evaluation data and generating paper figures.
| Notebook | Description |
|---|---|
📓 sheet.ipynb |
Main analysis notebook for evaluation data (sheet.csv) |
📓 radar.ipynb |
PASSKEYS-RADAR data analysis and statistics |
📓 tranco.ipynb |
Tranco list analysis and ranking statistics |
📓 wellknown_*.ipynb |
Well-known file detection analysis |
| File | Description |
|---|---|
📄 sheet.csv |
Main evaluation dataset |
📄 sheet.xlsx |
Evaluation data in Excel format |
📄 *-combined.json |
Aggregated websites from all sources |
📄 *-merged.json |
Deduplicated list of passkey-enabled sites |
📄 *-sites.txt |
List of analyzed websites |
The ./notebooks/charts/ directory contains all generated figures used in the paper.