Skip to main content
Version: Next

Passkey Support

SyVault fully supports passkeys (FIDO2/WebAuthn) in two ways: storing passkeys for third-party websites so they sync across your devices, and using passkeys as a passwordless login method for your SyVault account itself.

What Are Passkeys?

Passkeys are a FIDO2/WebAuthn credential that replace passwords with public-key cryptography. Instead of typing a password, you authenticate with a biometric (Face ID, fingerprint, Windows Hello) or a hardware security key. Passkeys are phishing-resistant by design -- the credential is cryptographically bound to the website's origin, so it cannot be used on a look-alike domain.

Storing Passkeys for Third-Party Sites

When a website offers passkey registration (e.g., Google, GitHub, Microsoft), SyVault can act as your passkey provider:

  1. Registration -- When a site prompts you to create a passkey, SyVault intercepts the WebAuthn create() call (via the browser extension or Credential Provider on mobile). SyVault generates an ECDSA P-256 key pair, returns the public key to the website, and encrypts the private key into a record in your vault.

  2. Authentication -- When a site prompts you to sign in with a passkey, SyVault identifies the matching credential by the relying party ID (rpId), decrypts the private key, signs the WebAuthn challenge, and returns the assertion to the website. You never type a password.

  3. Sync -- Because the passkey's private key is stored as an encrypted record in your SyVault vault, it syncs across all your devices automatically. Create a passkey on your laptop and use it on your phone minutes later.

How Passkeys Are Encrypted

Passkeys are stored as a specialized record type within your vault:

  • The private key is encrypted with a per-record DEK (AES-256-GCM).
  • The DEK is wrapped with the Vault Key.
  • The public key, rpId, user handle, and credential ID are stored as record metadata (also encrypted).
  • The passkey is indistinguishable from any other record in terms of encryption treatment.
tip

Storing passkeys in SyVault means they are not locked to a single device or platform (unlike iCloud Keychain passkeys or Google Password Manager passkeys). One vault, all devices.

Passwordless SyVault Login

You can also register a passkey for logging into SyVault itself, replacing or supplementing your master password:

Setup

  1. Go to Settings > Security > Passkeys.
  2. Click Register Passkey.
  3. Authenticate with your device's biometric or security key. SyVault registers a WebAuthn credential bound to the SyVault relying party.
  4. Give the passkey a name (e.g., "MacBook Touch ID", "YubiKey 5C").

How It Works

Passwordless login does not bypass the master password cryptographically. Instead:

  1. When you authenticate with your passkey, the server verifies the WebAuthn assertion and issues a session token.
  2. Your encrypted Account Key (wrapped by a key derived from the passkey ceremony via a PRF extension, or a server-escrowed key-encryption-key released upon passkey verification) is decrypted.
  3. The Account Key unlocks your vault as usual.

This means your vault's zero-knowledge encryption is preserved. The passkey replaces the master password as the authentication factor, but the key derivation still depends on cryptographic material that the server cannot access alone.

warning

If you lose all registered passkeys and your master password, you cannot access your vault. Always keep your master password (or recovery key) as a backup. Passkeys are a convenience layer, not a replacement for your master password backup.

Supported Authenticators

SyVault supports any FIDO2-compliant authenticator:

TypeExamples
Platform authenticatorTouch ID (macOS), Face ID (iOS), Windows Hello, Android biometric
Roaming authenticatorYubiKey 5 series, Google Titan, SoloKeys, Feitian
Software authenticatorBrowser-based virtual authenticators (for testing only)

You can register multiple passkeys for redundancy. If one is lost, you can still sign in with another (or fall back to your master password).

Managing Passkeys

Under Settings > Security > Passkeys, you can:

  • View all registered passkeys with their name, type, and last-used date.
  • Rename a passkey for easier identification.
  • Delete a passkey you no longer use or have lost.
  • Register additional passkeys for backup.