Verifiable Passkey: The Decentralized Authentication Standard
Aditya Mitra, Sibi Chakkaravarthy Sethuraman
TL;DR
The paper tackles the privacy and scalability limitations of traditional FIDO2 passkeys, which require per-service credentials and can lead to centralized tracking when using federated SSO. It proposes Verifiable Passkeys, a decentralized authentication standard that leverages Verifiable Credentials to share passkey-based proofs across platforms without centralized storage or tracking. The authors detail an end-to-end architecture (issuer, PageX, verifiers) and provide a practical implementation with open-source components, demonstrating enrollment and authentication workflows across platform and roaming authenticators. They present a comprehensive threat model that emphasizes phishing resistance, zero-trust validation, and privacy preservation, arguing that this approach reduces centralized risk while maintaining strong security guarantees. The work points toward broader adoption and standardization, with potential applications in digital identity and age verification, where privacy and verifiability are paramount.
Abstract
Passwordless authentication has revolutionized the way we authenticate across various websites and services. FIDO2 Passkeys, is one of the most-widely adopted standards of passwordless authentication that promises phishing-resistance. However, like any other authentication system, passkeys require the user details to be saved on a centralized server, also known as Relying Party (RP) Server. This has led users to create a new passkey for every new online account. While this just works for a limited number of online accounts, the limited storage space of secure storage modules like TPM or a physical security key limits the number of passkeys a user can have. For example, Yubico Yubikey 5 (firmware 5.0 - 5.6) offers to store only 25 passkeys, while firmware 5.7+ allows to store upto 100 [1]. To overcome this problem, one of the widely adopted approaches is to use Federated Authentication with Single Sign On (SSO). This allows the user to create a passkey for the Identity Provider (IdP) and use the IdP to authenticate to all service providers. This proves to be a significant privacy risk since the IdP can potentially track users across different services. To overcome these limitations, this paper introduces a novel standard 'Verifiable Passkey' that allows the user to use Passkeys created for a Verifiable Credential issuer across any platform without risking privacy or user tracking.
