Explore Google’s synced passkey architecture. Unit 42 details its mechanisms, key management, and secure communication in passwordless systems."

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

A deep technical analysis of Google's synced passkey architecture, specifically the cloud-based Google Authenticator component (enclave.ua5v.com). Covers the full lifecycle: device onboarding with TPM-backed identity and user-verification keys, security domain secrets, passkey creation and synchronization via WebauthnCredentialSpecifics, and the login assertion flow. Also details the secure communication protocol using OAuth2 tokens, WebSocket connections, Noise-NK handshake (P256/AESGCM/SHA256), and how device keys are signed using Windows CNG/TPM APIs. The post is Part 2 of a series, laying groundwork for upcoming attack vector analysis against passwordless systems.

Google Authenticator: The Hidden Mechanisms of Passwordless Authentication