Passwordless solutions were intended to eliminate the threat of account takeovers by replacing traditional passwords with cryptographic keys linked to physical devices. While this approach promised enhanced security, an in-depth analysis of Google’s passkey system uncovers complexities that might introduce new vulnerabilities. Google’s implementation, underpinned by a hidden cloud component, may inadvertently open new pathways for attacks.
Understanding Google’s Passkey Architecture
Unlike typical hardware authenticators, Google’s passkey system operates differently. When users log into services using Chrome and a passkey managed by Google Password Manager, their browsers connect to a remote service at enclave.ua5v[.]com. This cloud-based authenticator is responsible for key generation, managing authentication requests, and synchronizing credentials across devices.
As of early 2026, limited public information was available about this domain’s role in passkey authentication, despite its global usage. Researchers from Unit 42 found this cloud-centric architecture during a detailed security review of Google’s passkey implementation from an attacker’s perspective, revealing a broader attack surface than previously documented.
Potential Security Implications
The architecture relies on a background onboarding process before passkeys can be utilized. Chrome generates two key pairs using the device’s Trusted Platform Module (TPM) — an identity key and a user verification key — and registers them with the cloud-based authenticator. The cloud component then stores these keys and assigns a wrapping key to each device, establishing it within the user’s security domain.
This design, where private keys are encrypted and stored remotely, raises significant trust issues. Every login necessitates sending the wrapped Security Domain Secret (SDS) back to the cloud for decryption and signing, concentrating cryptographic authority within a potentially vulnerable cloud enclave.
Cloud Authenticator’s Role and Risks
Communication between Chrome and the cloud authenticator is secured through the Noise Protocol Framework, using a specific handshake variant. During passkey logins, Chrome sends commands alongside device IDs and wrapped SDSs to the cloud, which then decrypts and signs authentication responses. This centralized cryptographic process, if compromised, could allow attackers to forge authentication responses for any user.
Given these risks, organizations and users relying on Google’s synced passkeys should vigilantly monitor their accounts for unusual device enrollments and audit authentication logs for irregular access patterns. For high-security needs, FIDO2-compliant hardware security keys might offer a more secure alternative.
Stay updated on the latest developments by following our updates on Google News, LinkedIn, and X, and consider setting CSN as your preferred source in Google.
