Passwordless authentication was supposed to mark the end of account takeovers. Designed to replace traditional passwords with cryptographic keys tied to physical devices, it promised a future where stolen credentials could no longer unlock user accounts.
But a close examination of how Google has actually built its passkey ecosystem reveals something far more complex than the clean, secure image that “passwordless” typically projects.
Beneath every passkey login powered by Google Password Manager,
a hidden cloud component is silently performing sensitive cryptographic operations — and it may be creating new attack paths that have never been publicly discussed.
Google’s passkey system does not work like a conventional hardware authenticator locked to a single device.
Every time a Chrome user logs into a service using a passkey backed by Google Password Manager (GPM),
the browser quietly opens a connection to a remote service hosted at enclave.ua5v[.]com.
This domain functions as a
cloud-based authenticator responsible for generating passkey keys, handling authentication requests, and keeping credentials synchronized across all of a user’s enrolled devices.
Chrome generates two hardware-backed key pairs using the device’s
Trusted Platform Module (TPM) — an identity key and a user verification key — then registers them with the cloud authenticator.
The cloud authenticator stores these public keys, assigns a device-specific wrapping key, and issues a member key pair to establish the device as a trusted participant in the user’s security domain.
The entire state resulting from this onboarding is saved locally in a file called passkey_enclave_state,
stored within the Chrome profile directory.
Google passkeys use cloud processing via GPM, adding hidden complexity and potential new attack paths despite passwordless security.
cybersecuritynews.com
