Split-Trust Key Derivation for Passkey-Authenticated Encrypted Data Backup and Recovery

Inventor(s)

• AnonymousFollow

Abstract

Techniques are described for passkey-authenticated encrypted backup and recovery using split-trust key derivation. A client device performs passkey authentication via WebAuthn/FIDO2 and invokes a PRF extension to obtain a high-entropy pseudorandom output. The client derives a client-side key component (e.g., a BackupRootKey via HKDF) from the PRF output and obtains a server-side secret from a backup service only after successful passkey authentication. The client combines the client-side key component and the server-side secret using a key derivation function to produce a backup encryption key used to encrypt backup data for cloud storage and to decrypt the backup during restore. Passkey credentials may be stored and synchronized via a password manager to enable cross-device recovery using biometric or device-unlock authentication without memorized passwords or long keys.

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.

Recommended Citation

Anonymous, "Split-Trust Key Derivation for Passkey-Authenticated Encrypted Data Backup and Recovery", Technical Disclosure Commons, ()
https://www.tdcommons.org/dpubs_series/10621