Google Authenticator’s Hidden Passkey Architecture Could Open New Passwordless Attack Paths

Google's passkey system doesn't work like a regular hardware authenticator that only works with one device This article explores google passkey doesn. . Before passkeys can be used, the architecture needs a device onboarding process that runs in the background.

Every time you log in, Chrome has to send the wrapped SDS back to the cloud, where it is decrypted and used to sign the authentication response for the device. This puts a lot of faith in the cloud part and makes people wonder what will happen if that cloud-side logic becomes a target. It could be making new ways for attacks to happen that have never been talked about in public. It also makes us wonder how safe the FIDO protocol itself is, since it is supposed to keep users safe from attacks that use passwords.

This research aims to illuminate the security concerns associated with passkeys and other key-based authentication systems in the future. The open-source journals Security Engineering and Security Engineering published it. When you log in with a passkey, Chrome sends the command passkeys/assert along with the device ID and the wrapped SDS.

The cloud authenticator unwraps the SDS, decrypts the passkey private key, makes the authentication response, signs it, and sends it back to Chrome. The browser then sends this response to the relying party, who checks the signature and finishes the login.

This design keeps important information off the device and puts cryptographic authority in a remote cloud enclave. If this enclave is hacked or someone pretends to be it, an attacker could make valid authentication responses for any enrolled user. People and businesses that use GPM to sync passkeys should keep a close eye on their Google accounts for unexpected device enrollments, check authentication logs regularly for strange access patterns, and think about using FIDO2-compliant hardware security keys for accounts that are privileged or sensitive.