« All posts

Beyond login: encrypting data with passkeys and WebAuthn PRF

WebAuthn's PRF extension turns passkey login into an encryption key source; pknotes shows a master-password-free, end-to-end encrypted architecture.

A little-discussed WebAuthn extension called PRF lets an authenticator return a deterministic, credential-specific 32-byte value during a passkey login — output that never leaves the browser and can double as an encryption key. pknotes, an end-to-end encrypted notes app, uses this to eliminate master passwords entirely: the same login ceremony that proves identity also unlocks the user's data.

The architecture derives a key-encryption key (KEK) from the PRF output via HKDF, which unwraps a randomly generated AES-256 master key used to encrypt notes with AES-256-GCM. This hierarchy means adding a new device requires only a fresh wrap of the master key rather than re-encryption, recovery works via a one-time code that acts as an alternate wrapping factor, and revoking a device means rotating the master key and re-encrypting — not just deleting a database row. Binding each note's ID into AES-GCM's additional authenticated data also stops a malicious server from silently swapping ciphertexts between records.

For engineers, the practical catch is that PRF support depends on the credential provider, not the browser: iCloud Keychain, Google Password Manager, 1Password and Windows Hello support it, while extensions like Bitwarden can intercept the WebAuthn ceremony and block PRF even when a working platform passkey is available. The author frames this PRF-to-KEK pattern as broadly reusable wherever users currently manage seed phrases or master passwords, while candidly noting its limits: a compromised server can still serve malicious client code or observe metadata, and losing all passkeys and the recovery code means permanent data loss by design.