Passkeys for E2E Encryption & WebAuthn Origin Validation in Native Apps - This Week at Passkeys
Passkeys & WebAuthn PRF for E2EE - WebAuthn Origin Validation in Native Apps
What a Week!
🔒 Passkeys & WebAuthn PRF for End-to-End Encryption (2025)
📱 WebAuthn Origin Validation in the Context of Native Apps
Here are this week’s topics that you don’t wanna miss out on!
Questions from passkey integration projects
See what others have asked about integrating passkeys:
#14 What is the best way to encourage users to adopt passkeys?
To boost adoption, use an opt-out approach for new registrations - automatically prompt users to create a passkey rather than waiting for them to opt-in. Additionally, integrating automatic prompts after successful logins or account creation significantly increases passkey adoption rates.
Passkeys + PRF: End‑to‑End Encryption, Explained
Passkeys can do more than log you in. Thanks to WebAuthn’s PRF extension, they can mint encryption keys on the fly. That unlocks real client‑side, end‑to‑end encryption in the browser: no extra passwords, just your passkey. The post covers practical wins like passwordless vault unlocks (already rolling out at Dashlane and announced by Bitwarden), seamless key rotation with two salts, and even identity wallets. Support today is mixed: Android is strong; macOS/iOS work via iCloud Keychain (with an early iOS 18 caveat); Windows Hello still lacks hmac‑secret so you’ll need a security key; Firefox lags in spots. There’s a quick demo to test your setup, plus simple dev tips: treat PRF as an optional upgrade, plan for passkey loss and expect broader coverage by 2026. Curious how PRF beats credBlob/largeBlob and password‑derived keys and where it fits in your roadmap?
WebAuthn origins in native apps: Android vs. iOS, the quick guide
Origin is the “who” behind every WebAuthn request.
On the web it’s just https://your‑site, but native apps play by different rules.
Android builds the origin from the app’s signing cert: take the SHA‑256 fingerprint, convert it to base64url (no padding), and you get
android:apk-key-hash:…
that your server must match exactly. iOS uses
https:// + your RPID (your domain)
and ties trust to an Apple App Site Association file.
Servers should whitelist both origins and check them on every registration and login - Go, JS/TS, and PHP libraries make this easy. There are gotchas too: WebViews (assetlinks.json on Android, WKWebView only on iOS) and multi‑env builds where each flavor needs its own fingerprint or AASA. Want the exact steps, code, and pitfalls to avoid?
More interesting news around passkeys:
NIST SP 800-63B-4:Digital Identity Guidelines - Authentication and Authenticator Management
Passkeys Gain Enterprise Momentum as Sophos Reports 20% Adoption Rate
Join the Passkeys Community!
Our mission is to free the world from passwords to make the Internet a safer place - this can only be accomplished together.
Join our passkeys community to connect with other passkey enthusiasts, stay up-to-date, get implementation support and show your passkeys projects!