Google Password Manager passkey syncing on desktop

Dear all,

Setting chrome://flags/#web-authentication-enclave-authenticator to
"Enabled with GPM PIN enabled" in Chrome Canary will now allow one to test
syncing of GPM passkeys on Windows and macOS.

The passkey secrets themselves aren't synced directly. Rather a Google
production service is used as a key-wrapping service so that it's not
possible to directly exfiltrate passkey secrets from a desktop device.
Signing with a hardware-backed key on the client is required to access this
service and so Windows devices must have a TPM to use GPM passkeys.

The service only holds user secrets transiently in memory and runs under
SEV-SNP <https://www.amd.com/en/developer/sev.html> using Oak
<https://github.com/project-oak/oak/blob/main/README.md>. While not
available yet, the source and a reproducible build will be published.
Chrome will later gain the ability to check the attestation from AMD and
record the code hashes observed, which will match up with the reproducible
build.

There is not yet support for using GPM passkeys on iOS and so Chrome on
macOS will only default to creating credentials in GPM if there is evidence
that the user would be well served by this vs using iCloud Keychain. Such
evidence includes: having passkeys in GPM already, syncing to a non-Apple
device, or having denied Chrome iCloud Keychain permission in the past.

If reporting a bug, please include the contents of chrome://device-log.


Cheers

AGL

Received on Thursday, 11 July 2024 23:23:18 UTC