Verifiable Passkey: The Decentralized Authentication Standard

TL;DR

This paper introduces Verifiable Passkey, a new decentralized authentication standard that enables users to reuse passkeys across platforms without privacy risks or user tracking, addressing storage and privacy limitations of existing passwordless systems.

Contribution

The paper proposes a novel Verifiable Passkey standard that enhances privacy and reusability of passkeys across platforms, overcoming storage and tracking issues of current passwordless authentication methods.

Findings

Verifiable Passkey allows cross-platform reuse of passkeys.

It enhances user privacy by preventing tracking across services.

The standard addresses storage limitations of secure modules.

Abstract

Passwordless authentication has revolutionized the way we authenticate across various websites and services. FIDO2 Passkeys, is one of the most-widely adopted standards of passwordless authentication that promises phishing-resistance. However, like any other authentication system, passkeys require the user details to be saved on a centralized server, also known as Relying Party (RP) Server. This has led users to create a new passkey for every new online account. While this just works for a limited number of online accounts, the limited storage space of secure storage modules like TPM or a physical security key limits the number of passkeys a user can have. For example, Yubico Yubikey 5 (firmware 5.0 - 5.6) offers to store only 25 passkeys, while firmware 5.7+ allows to store upto 100 [1]. To overcome this problem, one of the widely adopted approaches is to use Federated Authentication with Single Sign On (SSO). This allows the user to create a passkey for the Identity Provider (IdP) and use the IdP to authenticate to all service providers. This proves to be a significant privacy risk since the IdP can potentially track users across different services. To overcome these limitations, this paper introduces a novel standard 'Verifiable Passkey' that allows the user to use Passkeys created for a Verifiable Credential issuer across any platform without risking privacy or user tracking.