Passseeds – Hijacking Passkeys to Unlock New Cryptographic Use Cases

Posted3d agoActive2d ago

csuwldcat

50 points

32 comments

backalleycoder.comTech Discussionstory

informativeneutral

Debate

40/100

PasskeysCybersecurity

Key topics

Passkeys

Cybersecurity

The debate around "PassSeeds" centers on repurposing passkeys as cryptographic seed material, sparking a lively discussion about the terminology used to describe this concept. While the author, csuwldcat, admits to using the term "hijacking" to poke fun at the Passkeys team they worked with at Microsoft, others argue it's misleading and worrying, causing confusion among readers and even AI summarization tools. As commenters weigh in, some highlight existing use cases, like Peanut.me's non-custodial crypto wallets, while others question the advantages over traditional password management or YubiKey's features, prompting csuwldcat to clarify the benefits of automatic syncing across devices. The thread is relevant now as it challenges conventional thinking around passkeys and cryptographic key management.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

N/A

Peak period

0-1h

Avg / period

3.2

Comment distribution29 data points

Loading chart...

Based on 29 loaded comments

Key moments

01Story posted
Jan 6, 2026 at 7:50 PM EST
3d ago
Step 01
02First comment
Jan 6, 2026 at 7:50 PM EST
0s after posting
Step 02
03Peak activity
12 comments in 0-1h
Hottest window of the conversation
Step 03
04Latest activity
Jan 7, 2026 at 11:40 AM EST
2d ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (32 comments)

Showing 29 comments of 32

csuwldcatAuthor

3d ago

3 replies

Passkeys can be hijacked to serve as cryptographic seed material that is securely synced across all of a user’s devices, enabling the generation of a wide range of cryptographic keys. This allows Passkeys to power use cases far beyond what they have traditionally been constrained to. I’ve been calling this mechanism PassSeeds.

I’ll leave the details to the blog post, but here’s a short list of what PassSeeds enable:

- Need a user-custodied BLS12-381 key to engage in more advanced ZKP Verifiable Credential / proofing flows? Say less, you're covered.

- Want to create a petty cash Web wallet for Bitcoin transactions that relies on a secp256k1 key? Ask and ye shall receive.

- How about keys for decentralized social media identifiers and post signing that are of a type other than P-256? No problem, I got you!

phillipseamore

3d ago

3 replies

Why use the word "hijacked" and not repurposing, extending or adapting? I'd even prefer leveraging.

csuwldcatAuthor

3d ago

1 reply

Just sounded cooler , and I was on the team that worked on Passkeys at Microsoft, so I wanted to poke them a bit (in a friendly way).

gcr

3d ago

To me, “hijacking” a passkey sounds like credential disclosure, which is quite worrying for a core team member to talk about. I know what you mean, but it’s probably the wrong term to be using if we want to emphasize that passkeys cannot be stolen.

fladrif

3d ago

I completely agree, I spent half the post confused about what exploits they were taking advantage of, and why I _shouldn't_ use passkeys.

gurjeet

3d ago

+1. I bet it's because of this confusing verbiage, the AI also got the gist of the article wrong, and lead me to believe that this article shows "post-hoc exploit" , when in fact there's no mention of the word 'exploit' in the article. See the screenshot linked below [1].

On a tangent, in the process I learnt that Firefox (at least on desktop) now has an "AI preview" feature where if you long-press on a URL, it brings up the pop-up. The first time, it notifies that the "AI" processing is local-only to preserve privacy.

[1]: Screenshot 2026-01-06 at 6.33.27 PM.png https://drive.google.com/file/d/15z--Oimct30QLuxR03nxMz9H_3L...

MattPalmer1086

2d ago

1 reply

What stops anyone else doing the ECDSA public key recovery hack by signing two identical messages and getting the public key, i.e. the thing you are using as a cryptographic seed?

In general, using a key for a purpose it was not designed for gets you into trouble. Treating a public key as private key seed material is almost certainly going to be a problem. Systems are just not designed to keep public keys secret, even if webauth does.

csuwldcatAuthor

2d ago

1 reply

That would either mean you have arbitrary, malicious code executing in the bound origin (the origin was hacked and shipped malicious code), or you allowed random callers externally to take signatures out of the boundary - don't do either of these things, they are verboten. The whole point is that for the passkey you use as a PassSeed, you never do any signing other than locally for ECDSA recovery.

MattPalmer1086

2d ago

It seems malicious code on the phone can get the public key and thus derive the secret keys. This is weaker protection than PassKeys provide (would have to crack the hardware, not just software).

arjvik

3d ago

I don’t understand why you want to enforce only using the public key instead of private key - while I believe you that as of now browsers do not disclose the public key anywhere, I’d also suspect that this is far more likely to be violated and accidentally disclosed by a bug than the private key, which theoretically cannot ever leave the TPM.

Would KDF(deterministic_sign(“well-known message”)) not also provide valid entropy?

Is it just impossible to force a nonce for a deterministic signature?

josephcsible

3d ago

2 replies

How is this any better than just storing the value in a password manager, or in YubiKey's "Static Password" mode?

Also, the "ECDSA Public Key Recovery" picture makes me suspect this is AI slop.

csuwldcatAuthor

3d ago

1 reply

How it's better: automatically synced across all a user's devices, not subject to manual interactions with input fields (you can't programmatically request/regen passwords the same way you can with this).

I did use AI for the ECDSA public key recovery diagram, because I wasn't about to spend hours hand rolling that in Lunacy. It's correct in broad strokes, and anyone who wants to understand it more deeply can just look at the code, imo.

sandeepkd

3d ago

IMO automatic sync is a mess with the passkeys, it just muddies the whole guarantees around security based on possession, its not available unless you are signed in on the platform (eg. apple account) making the behavior inconsistent

sandeepkd

3d ago

I think if you are doing it in the browser then you bind the flow to the request origin making it phishing resistant compared to a static, origin agnostic storage

notorious_pgb

3d ago

1 reply

Interesting, but the PRF / LargeBlob extensions already enable just such functionality (and more) without relying on the secrecy of a public key.

Why not just use those?

Edit: that's what I get for not reading far enough -- the article addresses this, though I would quibble with the confident assertion that the extensions are not available in major browsers, given I worked for a startup literal years ago which built major functionality on top of these extensions, which were available in (at least) all relevant mobile browsers.

csuwldcatAuthor

3d ago

2 replies

I addressed this in the post - neither is available across all major browsers: https://backalleycoder.com/posts/passseeds-an-experiment-in-...

Ironically, you could make a pollyfill for the PRF functionality with this.

csuwldcatAuthor

3d ago

1 reply

Saw your post above - I didn't "assert falsehoods", both are missing major browser support:

https://caniuse.com/mdn-api_credentialscontainer_get_publick...

notorious_pgb

3d ago

You're right and I was misremembering (we had only developed against modern mobile browsers), though I am 100% certain we made use of these extensions on iOS Safari, so I honestly don't believe caniuse when they assert that it supports _neither_ extension. Per my recollection, iOS Safari supported the large blob extension quite early on.

Apologies for the brash statement earlier; that was wrong of me.

notorious_pgb

3d ago

Very fair (see my edit), though I would submit to you that this isn't a sufficient polyfill for PRF, since PRF allows for a _secondary secret_ alongside the public key, allowing the server to safely store the public key without storing the cryptographic seed material itself.

The inability to use a passkey for the purposes of both authentication and secret storage (at least, without building non-trivial additional cryptographic plumbing) seems to me a reason to just use and push for the continued adoption and acceleration of the purpose-built extensions, instead of reusing a _public_ key as private material.

blibble

3d ago

1 reply

it seems foolish to build a system that relies on the token to essentially be a secure way to store a public key

when the entire point of the token is to guard the private key, and make the public key accessible

csuwldcatAuthor

3d ago

The interesting thing about Passkeys is that they are only ever output in the client create() call, and the platform does not retain them for disclosure after that, so if you don't send them out of the origin boundary, they are treated like a virtually secret value by the platform. It's ironic, because the WebAuthn/Passkey authors (who I know some of) explicitly treat the public key as a sensitive value, and built system assumptions around that, which is what makes this possible. It's a rather gross hack, can't deny it that, but there are a group of use cases for which it is a better fit than any of the far more ugly flows many non-P-256 self-custodied key use cases are accomplished with today.

rsoury

2d ago

1 reply

If a compromised browser extension intercepts the public key, there's an attack vector.

csuwldcatAuthor

2d ago

Yes, this is true, however, that means an external actor is able to execute arbitrary code in your origin, so they could also trick the user into signing malicious payloads with even the native passkey itself. There's more downside to exfiltration here, but having arbitrary code from an external party executing in your page is a more general cause for concern you'd need to mitigate regardless.

coppsilgold

2d ago

1 reply

Ultimately what he is suggesting to do is to bind a string of entropy to a website through facilitation of the browser and a Passkey.

A cryptographic seed is one of the most sensitive things. And here you choose to expose it to a website. This is not something you do for authentication. The only reason to do this is to have javascript/wasm on a website perform sensitive cryptographic operations for you. You should not ever be doing this.

Applications such as a password manager can already integrate entropy from a passkey to secure their key-database using the Challenge-Response protocol: https://docs.yubico.com/yesdk/users-manual/application-otp/c...

csuwldcatAuthor

2d ago

You can run the PassSeed code/mechanism on your own domain or localhost to ensure it's not subject to malicious host exfiltratuon. I agree that one should only trust a foreign host with low-security uses under this scheme.

arianvanp

2d ago

1 reply

Fails with

Error: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-consideration....

On Android

csuwldcatAuthor

2d ago

Hmm, can you provide further details? I'm using it on Android in Chrome and Brave, and it works fine.

nixosbestos

3d ago

Peanut.me uses passkeys for non-custodial crypto wallets. Pretty slick! I'm not paid, but I do use it multiple times a day in kioscos and local cafés in (South American City).

a022311

2d ago

It's interesting to see another use case for passkeys. The demo doesn't work with Bitwarden though :(

3 more comments available on Hacker News

View full discussion on Hacker News

ID: 46521084Type: storyLast synced: 1/7/2026, 9:30:40 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN