> Note that there’s no secure way to do asymmetric encryption: we could use the PRF extension to encrypt a private key, but then an attacker that observes that private key once can decrypt anything encrypted to its public key in the future, without needing access to the credential.

IMHO, it would move the world of privacy forward significantly if someone took up championing a web API that securely pipes the output of WebAuthn's PRF into the input seed of a WebCrypto ML-KEM/X25519 implementation.

Sure, we'll still have the (unenviable) job of securing the client side JS environment, but it would make it feasible to have E2EE in the browser with passkey managed private keys exposed only up to the point of the browser/OS.

I follow Filippo for years and he's doing amazing job for crypto and golang communities. Excited to see your bikes adventures too. If it wasn't for you who knows, maybe golang wasn't that popular in the fields where cryptography matters.

keep up, Filippo!

Say you wanted to share sign in details with someone and the only way to sign in to a website or service was a magic email link (tied to an IP address) or a passkey (tied to the physical user).

How do you do it without the service implementing guest sign in as a feature? I’m asking as someone who has implemented auth.

Very cool! Clever use of WebAuthn’s PRF to reuse synced passkeys for file encryption without the hassle of managing private keys directly. The catch is credential revocation: leaked passkeys mean full rotation and bulk re-encryption of files. That works fine for casual backups, but production usage will need tooling to handle automated rotation cleanly.

I was waiting for the prf to be implemented since a long time exactly for this type of applications (e2e encryption), but , as usual, Safari doesn't support it

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...

For a simple web app that encrypts files with passkeys, check out https://filekey.app

This enables a few cool use cases, like uploading sensitive, client-side encrypted documents, and storing them on behalf of the user—without even being able to peek inside—all with the convenience of passkeys!

I wonder if this can replace the PGP backend from "pass": https://www.passwordstore.org/

I don't really want to replace it. It works fine. But the toolchain for other platforms is becoming difficult to manage. I use pass with PGP Yubikeys as backing for each encrypted password. But the developer of the Android version has stopped supporting it and the person who took it over has removed yubikey support because he doesn't use it himself and doesn't care about it.

Of course I need to access my passwords on Linux, Windows, Mac, Android. Only iOS is not possible because Apple doesn't allow raw APDU access to NFC tags so you can't do OpenPGP functions.

I also don't want to use a password manager with a single master password like bitwarden. I want each password to be encrypted individually with the public key from a number of hardware tags (multiple, that's also a hard requirement). This way not my whole password database is instantly leaked when my master password gets compromised. Even when my endpoint gets completely compromised, the only passwords they will have are the ones I decrypted on it since it was compromised. Yubikeys require a physical touch for every decryption so you also can't 'milk' them for credentials when they're inserted and unlocked. Also, any password manager I use must be self-hosted, I hate and don't trust the big tech companies.

I wonder if this could be a new backend. And have support on all platforms (though iOS I don't care about personally, but it would be a nice to have).

Now do one for signing Linux packages with <insert anything else but GnuPG>...

What devices support the prf extension? Been waiting for it to get support for years

What good timing. I am gearing up for a 1.0 release of a tool I wrote that stores secrets on disk (sort of like a local hashicorp vault/aws secrets manager) that uses age internally.

https://git.eeqj.de/sneak/secret

It has a tiered architecture where several different types of “unlockers” can access the main vault key. I haven’t added passkey support yet but it does do gpg and macOS keychain, and secure enclave support is planned (but delayed due to the fact that you cannot use the secure enclave even on a local device you own without a paid/doxxed Apple Developer Program membership for the correct entitlements).

Can someone sum up the difference between "passkeys" and "SRP, PAKE (like OPAQUE), and ZKPs"?

Besides being related to the web (only?), it seems.

I recently started to plan for off-site, cloud-based storage and I have pretty much decided that I will be using Age to encrypt my backup files. It basically does everything I need.

My appreciation to the creator.

On this topic — how to harden security of the keychain db on the Mac? One is — keep the Mac password long and difficult to crack. What else? Is there any other way to make it harder? Like is there a way to ensure that those db files can’t be accessed even with the mac password on any other hardware?

Also — on a mac why are these files not saved in a location that requires elevated access?

Because that file has everything — password, wifi keys, passkeys; and it is not very practical to have 8-10 word long passphrases for your daily computer.

Basically — I am thinking about the scenario when the data of passwords/keychain db might be compromised but not the Mac password itself.

WebAuthn may be one of the most important security technology of the decade. It's a revolution in key management, which may be the hardest part of applied cryptography.

Passkeys enable phishing-resistant and 1-click authentication.

The PRF extension discussed here enables end-to-end encryption of data (with envelope encryption). Think about secure chat backups, double factor disk encryption (password + security key) and much more.

Soon we will be able to sign apps bundle (APKs, IPAs) with hardware security keys.

Great times are ahead for those who care about securing their users' data.

This is a pretty cool idea. Using passkeys to encrypt files means you don’t have to remember passwords but still keep things secure. What I really like is that each file gets its own key, so even if one gets exposed, the others stay safe. If this kind of setup gets integrated into tools we use every day, like photo apps or cloud storage, it could be really useful.

In my last job, we used a key that was stored on a user machine to sign documents... always wondered if something like PassKeys could replicate that... given documents could potentially need to be signed by multiple users on behalf of an entity, having the cert on a user's drive seemed like a security issue... It was password protected, but still.... Replacing that with PassKeys, and having that stored on a phone or even in something like 1Password would potentially solve some of those issues...Does anyone know if that is possible?