ARCHIVES

As the cyber security industry transitions to Passkeys (FIDO2/WebAuthn), a critical vulnerability has emerged in cloud-synced recovery flows. Current implementations rely on a static Device PIN for synchronization. Our research identifies the "Sync-Infiltrator" exploit, where an attacker uses a Remote Access Trojan (RAT) to capture this PIN, allowing them to bypass hardware-binding and clone a victim's identity onto an attacker-controlled device.The proposed Visual Password System (VPS) is a dynamic authentication protocol that shifts the "Root of Trust" to the user’s cognitive space. By utilizing a high-entropy pool of say 54 unique graphical assets, a private mental margin, and hidden "Locker Key" positions, the user ensures that no reusable data is ever typed or displayed. The system effectively neutralizes Phishing and RATs through Proactive Credential Rotation and Visual Masking. This paper introduces the Visual Password System (VPS), a cognitive authentication protocol designed to eliminate reusable secrets and resist RAT-based credential harvesting.