Things I learnt about passkeys when building passkeybot

Things I learnt about passkeys when building passkeybot I recently released passkeybot.com , a hosted sign in page that allows you to add passkey auth to your site with just a few server side HTTP handlers. Here are the things I learnt in the process. What Secure Enclave Processors (SEP) are Apple devices have secure enclaves which are like a separate tiny computer living inside the main CPU that has its own isolated encrypted memory and OS. It can create secrets that never leave the secure enclave. The main OS can only prove it has possession of that secret by asking the secure enclave to sign some data and getting the signature as a response (it can only use this message protocol with the SEP). When the user signs in with their passkey with User Verification = true, the SEP requires a biometric/passcode auth first before signing the data with the private key. Other devices have something similar to the SEP, but are branded with different names. Phone SIM cards are actually a form of secure element. SIM cards are CPUs that run a stripped down version of Java, and use the same principle of “secrets can never leave the SIM” and “prove possession with message signing”. User Presence (UP) vs User Verification (UV) Presence means “the user tapped a button and was there”, verification means “the user entered their biometric or passcode”. You can request which one you require with the JS passkey API. The difference is presence can be faked by anyone with the unlocked device by pressing a button, but verification always requires the re-auth of the user with biometrics or a passcode. What an authenticator is An authenticator is the hardware and software that holds the private/public key pairs and signs the passkey challenge to prove it has the private key. On Apple devices that is the SEP. The browser asks the user which authenticator they want to use, then uses OS level APIs to interact with the chosen authenticator. For example: User chooses on-device Apple SEP → site calls JS API → browser uses Swift API for passkey operations. User chooses Yubikey → site calls JS API → browser uses Yubikey API over USB for passkey operations The interesting thing here is that the JS API normalises all these different possible authenticator APIs. Under the hood the browser implements all the possible API protocols for different authenticators. The Chrome Dev Tools also has a virtual authenticator to bypass reptetive OS password entry for testing. What attestation is Signing proves possession : Being able to sign with the private key proves you have possession of it. Attestation proves device hardware used : Attestation proves what hardware and software combination created the passkey pair. It allows enforcing policies for what set of hardware devices are trusted, and which are blocked. The issue is that attestation data also allows fingerprinting as it reveals exactly what hardware the user is using. Hardware attestation only occurs for the creation of...

Preview: ~500 words