Things I learnt about passkeys when building passkeybot
4 months ago
- #security
- #authentication
- #passkeys
- Secure Enclave Processors (SEP) in Apple devices create and store secrets securely, requiring biometric/passcode for verification.
- User Presence (UP) vs User Verification (UV): UP requires a button tap, UV requires biometric/passcode re-auth.
- An authenticator is hardware/software that holds key pairs and signs challenges, with browsers normalizing different authenticator APIs.
- Attestation proves the hardware used for passkey creation but can enable fingerprinting; Apple disables it by default.
- Passkeys are for authentication only, not general signing, with challenges needing 16+ bytes of randomness.
- Compromised JS can trick users into signing fake challenges, as authenticators don't show what's being signed.
- Immediate mediation in Chrome allows quick sign-in for users with passkeys, with different responses based on key count.
- Related Origin Requests (RORs) let domains define others that can create passkeys, but they don't work over HTTP or on iOS 18/Firefox.
- Passkeys can be stored on nearby devices and used via Bluetooth for signing without transferring keys.
- The Signal API hints at passkey deletion without confirmation to avoid data leaks.
- user.id and userHandle map multiple passkeys to one account, important for browser UI grouping.
- crypto.subtle.generateKey creates non-extractable keys, preventing private key extraction but allowing signing.
- PKCE (Proof Key for Code Exchange) uses dynamic secrets to protect tokens, retrofitted into OAuth for security.
- Digital Credentials API accesses OS wallet items like IDs, enabling proofs without sharing actual credentials.