Search code, repositories, users, issues, pull requests...
This tools was released as part of my BSides Cymru 2024 talk, Okta Terrify: Persistence in a Passwordless World. The presentation deck and demonstration video have been included with this repository.
Okta Terrify is a tool to demonstrate how passwordless solutions such as Okta Verify's FastPass or other FIDO2/WebAuthn type solutions can be abused once an authenticator endpoint has been compromised. Whilst Okta Terrify demonstrates Okta specific attacks, the same methodology would typically apply to other passwordless solutions, as generally they all leverage asymmetric cryptography.
Passwordless authentication works via public/private key pairs. Typically, there are two types of keys generated during authenticator enrollment, Proof Of Possession and User Verification. Combined, both keys satisfy the multifactor element of authentication that organisations strive for as part of ongoing efforts to protect their users.
The proof of possession key is designed to do just that, prove that presence of a specific authenticator and/or user during authentication. In Okta's case, the the proof of possession key is used to determine the presence of both the authenticator and the user, since in multiuser scenarios, unique proof of possession keys are generated per user. The proof of possession key is typically a silent key, which does not require any form of biometric data to unlock it's usage beyond that of the operating system itsself, such as an authenticated Windows user session. When available, this key will be backed by a TPM and is therefore not possible to export from the device. When a TPM is not available, this key is generated as a software only key.
