Google’s Cloud Passkey Architecture: Passwordless, But Not Attackless

March 25, 2026 Faeem BLOGS 0

Passwordless authentication was meant to end account takeovers. By replacing passwords with cryptographic keys tied to physical devices, it promised a future where stolen credentials couldn’t unlock accounts. But a deep dive into Google Authenticator’s passkey architecture reveals a hidden cloud component that may introduce new attack paths — ones not covered by FIDO or W3C documentation.

What’s Under the Hood

Google’s passkey system, powered by Google Password Manager (GPM), doesn’t behave like a traditional hardware authenticator. Instead, it relies on a cloud-based authenticator hosted at enclave.ua5v.com, which:

  • Generates passkey keys
  • Handles authentication requests
  • Syncs credentials across devices

Every login triggers a WebSocket connection to this domain, where sensitive cryptographic operations occur — silently and remotely.

Key Findings from Unit 42

Unit 42 researchers approached the architecture from an attacker’s perspective and uncovered:

  • Device onboarding: Chrome generates TPM-backed identity and verification keys, then registers them with the cloud.
  • Local state file: passkey_enclave_state stores encrypted onboarding data in the Chrome profile directory.
  • Hybrid key model: Private keys aren’t stored directly on the device. Instead, they’re encrypted with a Security Domain Secret (SDS) managed by the cloud.
  • Login flow: Chrome sends the wrapped SDS to the cloud, which decrypts it, signs the authentication response, and returns it to Chrome.

Why This Matters

This design concentrates cryptographic authority in a remote cloud enclave. If compromised or impersonated, it could allow attackers to:

  • Forge valid authentication responses
  • Hijack synced passkeys across devices
  • Bypass local device protections

The use of the Noise Protocol Framework and TPM-backed keys adds security, but the cloud’s central role introduces a single point of failure.

Recommendations

For organizations and individuals using synced passkeys via GPM:

  • Audit Google account activity: Look for unexpected device enrollments.
  • Review authentication logs: Watch for anomalies in login behavior.
  • Use hardware keys: Prefer FIDO2-compliant physical authenticators for sensitive accounts.
  • Monitor enclave domains: Flag traffic to enclave.ua5v.com for inspection.

Final Thought

Google’s passkey architecture is a technical marvel — but also a reminder that passwordless doesn’t mean riskless. As authentication shifts to cloud-mediated models, defenders must rethink where trust lives, how keys move, and what happens when the cloud becomes the target.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.