Table of Contents
Fetching ...

Verifiable Passkey: The Decentralized Authentication Standard

Aditya Mitra, Sibi Chakkaravarthy Sethuraman

TL;DR

The paper tackles the privacy and scalability limitations of traditional FIDO2 passkeys, which require per-service credentials and can lead to centralized tracking when using federated SSO. It proposes Verifiable Passkeys, a decentralized authentication standard that leverages Verifiable Credentials to share passkey-based proofs across platforms without centralized storage or tracking. The authors detail an end-to-end architecture (issuer, PageX, verifiers) and provide a practical implementation with open-source components, demonstrating enrollment and authentication workflows across platform and roaming authenticators. They present a comprehensive threat model that emphasizes phishing resistance, zero-trust validation, and privacy preservation, arguing that this approach reduces centralized risk while maintaining strong security guarantees. The work points toward broader adoption and standardization, with potential applications in digital identity and age verification, where privacy and verifiability are paramount.

Abstract

Passwordless authentication has revolutionized the way we authenticate across various websites and services. FIDO2 Passkeys, is one of the most-widely adopted standards of passwordless authentication that promises phishing-resistance. However, like any other authentication system, passkeys require the user details to be saved on a centralized server, also known as Relying Party (RP) Server. This has led users to create a new passkey for every new online account. While this just works for a limited number of online accounts, the limited storage space of secure storage modules like TPM or a physical security key limits the number of passkeys a user can have. For example, Yubico Yubikey 5 (firmware 5.0 - 5.6) offers to store only 25 passkeys, while firmware 5.7+ allows to store upto 100 [1]. To overcome this problem, one of the widely adopted approaches is to use Federated Authentication with Single Sign On (SSO). This allows the user to create a passkey for the Identity Provider (IdP) and use the IdP to authenticate to all service providers. This proves to be a significant privacy risk since the IdP can potentially track users across different services. To overcome these limitations, this paper introduces a novel standard 'Verifiable Passkey' that allows the user to use Passkeys created for a Verifiable Credential issuer across any platform without risking privacy or user tracking.

Verifiable Passkey: The Decentralized Authentication Standard

TL;DR

The paper tackles the privacy and scalability limitations of traditional FIDO2 passkeys, which require per-service credentials and can lead to centralized tracking when using federated SSO. It proposes Verifiable Passkeys, a decentralized authentication standard that leverages Verifiable Credentials to share passkey-based proofs across platforms without centralized storage or tracking. The authors detail an end-to-end architecture (issuer, PageX, verifiers) and provide a practical implementation with open-source components, demonstrating enrollment and authentication workflows across platform and roaming authenticators. They present a comprehensive threat model that emphasizes phishing resistance, zero-trust validation, and privacy preservation, arguing that this approach reduces centralized risk while maintaining strong security guarantees. The work points toward broader adoption and standardization, with potential applications in digital identity and age verification, where privacy and verifiability are paramount.

Abstract

Passwordless authentication has revolutionized the way we authenticate across various websites and services. FIDO2 Passkeys, is one of the most-widely adopted standards of passwordless authentication that promises phishing-resistance. However, like any other authentication system, passkeys require the user details to be saved on a centralized server, also known as Relying Party (RP) Server. This has led users to create a new passkey for every new online account. While this just works for a limited number of online accounts, the limited storage space of secure storage modules like TPM or a physical security key limits the number of passkeys a user can have. For example, Yubico Yubikey 5 (firmware 5.0 - 5.6) offers to store only 25 passkeys, while firmware 5.7+ allows to store upto 100 [1]. To overcome this problem, one of the widely adopted approaches is to use Federated Authentication with Single Sign On (SSO). This allows the user to create a passkey for the Identity Provider (IdP) and use the IdP to authenticate to all service providers. This proves to be a significant privacy risk since the IdP can potentially track users across different services. To overcome these limitations, this paper introduces a novel standard 'Verifiable Passkey' that allows the user to use Passkeys created for a Verifiable Credential issuer across any platform without risking privacy or user tracking.
Paper Structure (9 sections, 9 figures, 1 table)

This paper contains 9 sections, 9 figures, 1 table.

Figures (9)

  • Figure 1: Enrollment workflow
  • Figure 2: Authentication Workflow
  • Figure 3: Verifiable Passkey Issuer screen
  • Figure 4: PageX for creating Verifiable Passkey
  • Figure 5: System prompt for secure storage usage
  • ...and 4 more figures