Post

WiCyS 2025 Workshop - Phishing Resistance of Passkeys

Posted
Preview Image
By Michal Kepkowski , Natalia Glina
2 min read

Intro

This year at WiCyS 2025, held in Dallas, Texas, Nat and I had the pleasure of running a workshop on the last day of the conference. Despite it was the final session, the room was packed, the energy was high, and the engagement was fantastic. We’re publishing this article as a follow-up to the session—both to answer some of the recurring questions and to share the insights with those who couldn’t make it.

Our objective was twofold:

  1. Show, not tell, why some Multi-Factor Authentication (MFA) methods fail against phishing attacks.
  2. Introduce passkeys and give participants a first-hand experience of how they address those very issues.

Workshop Walkthrough

We had a full two hours together, and we made the most of it.

We began by discussing the well-known flaws of passwords and gradually moved to the out-of-band MFA methods: SMS-based one-time passwords (OTPs), email OTPs, push notifications.

Then came Lab 1: the phishing simulation.

We invited participants to take the place of a victim in a controlled, hands-on phishing exercise. Using a real-time demo with Evilginx, everyone witnessed how attackers can intercept credentials and session tokens - enough to impersonate users even when MFA is enabled.

The participants could:

  • Receive a simulated phishing email
  • Log in “as normal”
  • Watch how their credentials and session cookies were captured
  • See how the attacker could immediately reuse the session without knowing the password or OTP

It was a little unsettling - but that was the point.

Lab 2: Fighting back with passkeys.

In the second half, we introduced passkeys. We covered their:

  • Design principles
  • Usability improvements
  • Most importantly, their phishing resistance

Everyone had a chance to register a passkey and then test whether our earlier phishing technique would still work.

Participants left the room with a deeper understanding of what phishing-resistant authentication looks like—and why it’s the future.

Setup

The tech stack for the workshop was intentionally simple to help others replicate or explore it themselves:

AitM backend: Evilginx running on a virtual machine

Phishing lure email: A mock single-page email client, built to deliver a convincing fake GitHub email

Session viewer: Our custom-built web viewer for Evilginx session data

Phishing domain: github.cybersoup.org

Target platform: Actual GitHub accounts (github.com)

Evilginx tutorial is available here.

Workshop presentation is here.

Final Words

WiCyS conference continues to be an amazing event — where students, researchers, career changers, and cybersecurity oddballs like us come together to share and grow.

We’re proud allies and thrilled to have been a part of this year’s edition.

There’s something uniquely Texan about line dancing to country music and watching longhorns roam the Fort Worth Stockyards — an unexpected but memorable part of the WiCyS experience.

Thanks to everyone who joined us. Until next time!

Presentations
WiCyS
This post is licensed under CC BY 4.0 by the author.