New ‘Verifiable Passkey’ Standard Addresses Storage Limits and Privacy Concerns

Global: New ‘Verifiable Passkey’ Standard Addresses Storage Limits and Privacy Concerns

A recently posted arXiv paper introduces a novel “Verifiable Passkey” standard designed to let users employ passkeys issued by a verifiable credential authority across multiple platforms while mitigating storage constraints and privacy risks. The authors argue that the approach could reduce the need for separate passkeys per service and limit reliance on a single identity provider.

Background on Passkey Limitations

Passwordless authentication, particularly FIDO2 passkeys, has become a widely adopted method for securing online accounts. However, the authors note that passkeys must be stored on a centralized Relying Party (RP) server, prompting users to generate a distinct passkey for each account. Physical security modules such as TPMs or hardware keys impose storage caps; for instance, Yubico YubiKey 5 models with firmware 5.0‑5.6 support only 25 passkeys, while firmware 5.7 and later increase the limit to 100.

Federated Authentication and Privacy Implications

To circumvent storage limits, many services employ federated authentication with Single Sign‑On (SSO). This model enables a user to create a single passkey for an Identity Provider (IdP) and reuse it across service providers. Critics have highlighted that such arrangements can enable IdPs to track user activity across disparate services, raising privacy concerns.

Proposed Verifiable Passkey Standard

The paper proposes a “Verifiable Passkey” that leverages verifiable credentials to authenticate users without exposing their identity to the IdP. According to the authors, the standard allows a passkey created by a credential issuer to be presented to any relying party while preserving cryptographic proof of legitimacy.

Potential Benefits and Use Cases

If adopted, the standard could reduce the number of passkeys a user must manage, easing the burden on hardware storage. It may also enable broader interoperability across devices and platforms, as the same verifiable credential could be used for authentication without centralizing user data.

Open Questions and Future Work

The authors acknowledge that further research is needed to evaluate the security guarantees of the verifiable passkey model, especially in adversarial settings. They also call for standardization bodies to assess compatibility with existing FIDO2 specifications.

Conclusion

Overall, the study presents a promising direction for addressing both storage limitations and privacy risks associated with current passwordless authentication ecosystems. Continued collaboration between researchers, industry groups, and standards organizations will be essential to bring the concept to practical deployment.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.