YouTube

Research Brief

6.5/8
●●●●●●○○ Credibility Score
mixed
📝 What They Said

Passkey authentication can be demystified by examining the actual data exchange between browser and server during creation and login, revealing that while cryptographically complex, the process follows an intuitive client-server flow using standard web APIs.

  1. 1 Passkey creation begins client-side when a user requests to create a passkey, triggering the browser to fetch creation arguments from the server (what verification level is needed, what passkey types are allowed)
  2. 2 The browser calls navigator.credentials.create() with these server arguments, which interfaces with the OS/TPM/password manager to generate a public-private key pair
  3. 3 The generated key data (embedded in JSON) is sent back to the server for validation and storage in the database, completing the passkey creation flow
  4. 4 The presenter has built a demo website with visible data flows showing all six steps of the process (normally hidden from users) to illustrate what happens under the hood
  5. 5 The implementation uses PHP backend and JavaScript frontend, with the goal of making the cryptographic complexity more accessible by visualizing the actual data exchanges
🔬 What We Found

The video demonstrates a working implementation of WebAuthn passkey authentication using a custom PHP/JavaScript demo. The presenter built this to visualize the complete data flow during passkey creation and authentication—data that's normally hidden from users. WebAuthn is the W3C specification (officially recognized in 2018) that enables passwordless authentication using public-key cryptography. Passkeys are FIDO credentials that implement this standard, allowing users to authenticate with biometrics, PINs, or device unlock mechanisms instead of passwords.

The technical flow works as follows: During registration, the client fetches creation arguments from the server (including a random challenge, relying party ID, and user information). The browser calls navigator.credentials.create() which triggers the OS/TPM/password manager to generate a public-private key pair. The private key never leaves the device; the public key, credential ID, and signed challenge are sent to the server for storage. During authentication, the server sends a new challenge. The client calls navigator.credentials.get(), the authenticator signs the challenge with the private key, and the server verifies the signature using the stored public key.

Key implementation libraries include SimpleWebAuthn (TypeScript, available at https://github.com/MasterKale/SimpleWebAuthn) for Node/Deno environments, and lbuchs/WebAuthn (PHP, available at https://github.com/lbuchs/WebAuthn) which the presenter likely used. The Trusted Platform Module (TPM) is a hardware security chip that stores cryptographic keys in tamper-resistant storage—it's built into most PCs manufactured after 2010 and is required for Windows 11. The attestation data mentioned in the video contains certificate chains proving the authenticator's authenticity, though most servers ignore this for consumer applications. The sign count field detects cloned authenticators by incrementing after each use. The challenge token (typically 32 random bytes) prevents replay attacks by ensuring each authentication is unique and time-bound.

✓ Verified Claims
navigator.credentials.create() is the JavaScript function that creates a passkey
Source
The challenge token prevents replay attacks
Source
TPM (Trusted Platform Module) is a security chip that can store passkey private keys
Source
Attestation data is often ignored by servers
Source
The sign count is used to detect cloned passkeys
Source
The presenter used PHP for the backend implementation
Source
⚠️
TPM signed the attestation with SHA1 and RSA which is deprecated
Source
WebAuthn was officially recognized as a W3C Recommendation in 2018
Source
→ Suggested Actions
💡 Go Deeper
Cross-platform passkey synchronization mechanisms: How passkeys sync across devices via iCloud Keychain, Google Password Manager, and third-party password managers, including the security implications of cloud-synced credentials
Attestation and credential verification: Deep dive into attestation statements, authenticator metadata, and how servers can verify the authenticity and security characteristics of the authenticator device used to create a passkey
Fallback strategies and progressive enhancement: Implementing graceful degradation for browsers without WebAuthn support, handling users without biometric capabilities, and designing hybrid authentication systems that support both passkeys and traditional methods
Enterprise passkey deployment challenges: Addressing organizational concerns around account recovery, credential management at scale, compliance requirements (SOC2, HIPAA), and integration with existing identity providers and SSO systems
Resident keys vs server-side keys: Technical comparison of discoverable credentials (resident keys) stored on the authenticator versus non-discoverable credentials, including storage limitations, user experience implications, and security trade-offs
Key Takeaway

WebAuthn passkey authentication, while cryptographically sophisticated, follows a straightforward client-server exchange using standard browser APIs that replace passwords with public-key cryptography.

Open Original Try Free