Skip to content

Improve guidance for passkey implementations in Authentication Cheat …#2052

Open
YK-03 wants to merge 4 commits intoOWASP:masterfrom
YK-03:improve-passkey-guidance
Open

Improve guidance for passkey implementations in Authentication Cheat …#2052
YK-03 wants to merge 4 commits intoOWASP:masterfrom
YK-03:improve-passkey-guidance

Conversation

@YK-03
Copy link

@YK-03 YK-03 commented Mar 5, 2026

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

Description

This PR improves the guidance in the FIDO2 / Passkeys section of the Authentication Cheat Sheet by recommending the use of well-maintained WebAuthn libraries or platform APIs instead of implementing authentication logic manually.

A reference link to the Web Authentication API (WebAuthn) documentation was also added to provide developers with an authoritative resource for implementing passkey-based authentication securely.

AI Tool Usage Disclosure (required for all PRs)

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to assist with drafting and formatting this contribution. The contents were reviewed and validated before submission.

Thank you again for your contribution 😃

@jmanico
Copy link
Member

jmanico commented Mar 6, 2026

minor lint errors: cheatsheets/Authentication_Cheat_Sheet.md:350 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]

mackowski
mackowski previously approved these changes Mar 15, 2026
View reviewed changes
@mackowski
Copy link
Collaborator

mackowski commented Mar 15, 2026

@jmanico please review this one too ;-)

jmanico
jmanico reviewed Mar 15, 2026
View reviewed changes
Copy link
Member

@jmanico jmanico left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing that the core control to passkey is the clients underlying default key manager like a TPM for windows or iOS Secure Enclave. I think this is an important missing factor.

@YK-03
Copy link
Author

YK-03 commented Mar 16, 2026

The role of the client’s underlying key manager (e.g., TPM on Windows or Secure Enclave on Apple devices) is indeed an important part of the passkey security model. I’ll update the guidance to explicitly mention these hardware-backed key stores so the explanation is clearer and more complete.

@mackowski mackowski requested a review from Copilot March 26, 2026 10:11
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Authentication Cheat Sheet’s passkey/FIDO2 guidance and cleans up a Markdown table, aiming to improve clarity around automated attack types and passkey key storage properties.

Changes:

  • Reformats the “Protect Against Automated Attacks” table to standard Markdown table syntax.
  • Expands the FIDO2/Passkeys subsection with a new “Hardware-backed Key Storage” subsection and revised FIDO2 wording.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cheatsheets/Authentication_Cheat_Sheet.md
Comment on lines +344 to +346
**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs), often with credential synchronization across devices.

#### Hardware-backed Key Storage
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions adding a reference link to the Web Authentication API docs and recommending using well-maintained WebAuthn libraries/platform APIs, but this change only adds a new subsection and contains no such link or guidance. Either update this section to include the described recommendations/link, or adjust the PR description to match the actual changes.

Copilot uses AI. Check for mistakes.
cheatsheets/Authentication_Cheat_Sheet.md Outdated
Comment on lines +344 to +350
**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs), often with credential synchronization across devices.

#### Hardware-backed Key Storage

For platform passkeys, the private key is generated and stored by the operating system's secure key manager. Modern platforms typically provide hardware-backed protection for these keys, such as the Trusted Platform Module (TPM) on Windows, Secure Enclave on Apple devices, or the Android Keystore/StrongBox on Android.

The private key is non-exportable and remains on the user’s device. During authentication, the platform security module signs a server challenge using this key. This hardware-backed protection of private keys is a core security property of passkeys and WebAuthn.
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 344 states passkeys often have credential synchronization across devices, but line 350 then states the private key "remains on the user’s device". These statements conflict for synced passkeys; please reword to distinguish device-bound vs synced passkeys (and avoid implying the private key never leaves a device in all cases).

Suggested change
**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs), often with credential synchronization across devices.
#### Hardware-backed Key Storage
For platform passkeys, the private key is generated and stored by the operating system's secure key manager. Modern platforms typically provide hardware-backed protection for these keys, such as the Trusted Platform Module (TPM) on Windows, Secure Enclave on Apple devices, or the Android Keystore/StrongBox on Android.
The private key is non-exportable and remains on the user’s device. During authentication, the platform security module signs a server challenge using this key. This hardware-backed protection of private keys is a core security property of passkeys and WebAuthn.
**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs). Depending on the platform and configuration, passkeys may be device-bound (stored on a single authenticator) or multi-device/synced (securely synchronized between a user's devices).
#### Hardware-backed Key Storage
For platform passkeys, the private key is generated and stored by the operating system's secure key manager. Modern platforms typically provide hardware-backed protection for these keys, such as the Trusted Platform Module (TPM) on Windows, Secure Enclave on Apple devices, or the Android Keystore/StrongBox on Android.
For device-bound passkeys, the private key is marked as non-exportable and is designed not to leave the authenticator on which it was created. For synced passkeys, copies of the private key (or equivalent secret) may be synchronized between a user's devices using platform-specific, typically end-to-end encrypted mechanisms, but are not exposed to relying parties or application code. During authentication, the platform security module signs a server challenge using this key material. This hardware-backed or otherwise strongly isolated protection of private keys is a core security property of passkeys and WebAuthn.

Copilot uses AI. Check for mistakes.
@mackowski
Copy link
Collaborator

mackowski commented Mar 26, 2026

@YK-03 can you respond to copilot review/suggestions?

@YK-03
Fix: use authenticator-general language for hardware-backed key storage
17c7a70 
Avoid overgeneralizing hardware-backed guarantees. Clarify that 
not all implementations are hardware-backed and relying parties 
should not assume non-exportability without attestation verification.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmanico jmanico jmanico left review comments

Copilot code review Copilot Copilot left review comments

@mackowski mackowski mackowski left review comments

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@YK-03 @jmanico @mackowski