Passkey Security CTF Challenge for TISC
October 25, 2025
Back in June 2025, I submitted a security Capture-The-Flag (CTF) challenge for the annual The InfoSecurity Challenge (TISC) 2025, organized by Centre for Strategic Infocomm Technologies (CSIT), an agency in the Ministry of Defense of Singapore, and it revolves around Passkey.
I was lucky to have my challenge selected for TISC. TISC 2025 consists of 12 CTF challenges. My Passkey CTF challenge is 1 of the 3 community challenges that were accepted — with the remaining either developed internally by CSIT or developed/commissioned by CSIT-related entities. This nets me a cool $1000! :)
TISC 2025 was held for a period of 16 days, from September 12, 2025 to September 28, 2025. I also took part in it myself. Being a challenge creator, I am disqualified from winning any prizes. That did not matter anyway because I was stuck at level 4 and could not proceed further — it was sequential and you have to solve one level at a time and cannot skip levels. I must say the quality of TISC 2025 is really good with rather high difficulties compared to other CTFs out there that I have tried. It was really fun as I enjoyed puzzle solving. My kids were wondering why I was staring at a 3D model for 2 days (level 3).
Despite the challenge, there is one participant who managed to solve it all. Congratulations Gerrard (spoiler warning: skip level 6 writeup if you want to attempt my passkey CTF challenge). Not only did Gerrard solve it all, he did it back to back, capturing the first place at TISC 2024 as well!
Summary and report of the event is available at the TISC 2025 event page.
I must say that the entire event is really well run, from the initial call for challenge, theming, running of the contest, managing issues and queries during the contest, to the final prize-giving ceremony. Amazing work from the folks at CSIT!
Passkey CTF
The CTF itself resolves around Passkey, or rather misconfiguration of Passkey. Despite the increasing popularity of Passkey, I do not think there are any Passkey CTFs yet. That leads me to create one. I believe my challenge is probably one of the first Passkey CTFs out there in the world.
If you would like to give it a try, you can set up an instance of the CTF server and give it a try. The server can be set up by checking out the code at my GitHub repository: https://github.com/uzyn/passkey-ctf. It's built in Zig, but everything is Dockerized, so all you have to do is simply docker-compose up.
This is my first CTF challenge design and submission and certainly will not be my last.