Tools

Complete Guide to Passseeds – Hijacking Passkeys To Unlock New Cryptographic Use Cases

2026-01-07 0 views admin
Complete Guide to Passseeds – Hijacking Passkeys To Unlock New Cryptographic Use Cases

In my time at Microsoft, I worked on the team responsible for the development and standardization of Passkeys. Passkeys have made standard, secure, cryptographic authentication accessible to all users, but the model is tightly restricted to website/app login.

Even with a deep, code-level understanding of passkeys and WebAuthn, it wasn’t until now, six years later, that I realized a set of properties and behaviors present within Passkeys could be hijacked to make this post possible. This ‘feature’ was sitting right there and feels so obvious in retrospect. It just goes to show if you remain curious and turn over every rock, you can bend technology to do new and interesting things.

PassSeeds is a hack that explores this question: can we hijack the capabilities and UX of passkeys for use cases that stretch beyond their rigid login model and limited key-type support? The status quo of many Web-based use cases involving long-held cryptographic keys is often users pasting key material into sites/apps or buying special hardware devices that are difficult for less technical folks to use.

To understand PassSeeds, it helps to have some awareness of the underlying Passkey technology they are based on.

Passkeys are asymmetric key pairs formatted as WebAuthn credentials, typically used to replace passwords for website logins. A key pair is created on the user’s device for a website and stored in a secure hardware module. Access to and usage of these key pairs is scoped to the origin of the site they were created on (for example: example.com, other.example.com, test.com). Passkeys are replicated across a user’s devices by the platform (iCloud Keychain, Google Password Manager, Windows Hello, etc.) via an end-to-end encrypted sync process. Below is a basic overview of the two primary UX flows for generating a passkey and using one for login:

There are several attributes of Passkeys to keep in mind that are critical to the PassSeed mechanism detailed in this post:

Given these attributes of the Passkey model, even public keys in the system behave like a natively provisioned, hardware-secured, synced secret, even though cryptography does not require them to be secret. This is a rare and valuable set of properties many products, services, and protocols find highly desirable.

Passkeys provide biometrically gated use of cryptographic keys, but they were created specifically for authentication signing in centralized website login flows. Meanwhile, web apps that need cryp

Source: HackerNews

🏷️ Tags

app

More from Tools

Open Source Test Z Emoji I Url - Guide

Open Source Test Z Emoji I Url - Guide

2026-01-07 0
How To Build Connections For A/b Testing And Linear Regression: An... (2026)

How To Build Connections For A/b Testing And Linear Regression: An... (2026)

2026-01-07 0
Show Hn: I Visualized The Entire History Of Citi Bike In The Browser - Expert Insights

Show Hn: I Visualized The Entire History Of Citi Bike In The Browser - Expert Insights

2026-01-07 0
Latest Make Q1 Marketing Count: Focus, Execute, Deliver 2026 - Guide

Latest Make Q1 Marketing Count: Focus, Execute, Deliver 2026 - Guide

2026-01-07 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views