What happened
A hidden Google passkey architecture could open new passwordless attack paths by relying on a remote cloud component during authentication. According to research from Unit 42, passkey logins backed by Google Password Manager do not function solely as device-bound authentication events. Instead, when a Chrome user logs in with a synced passkey, the browser connects to a remote service hosted at enclave.ua5v[.]com, which acts as a cloud-based authenticator. The researchers said this service generates passkey keys, handles authentication requests, and keeps credentials synchronized across a user’s enrolled devices. They also found that the onboarding process creates hardware-backed key pairs using the device’s Trusted Platform Module, stores resulting state locally in a passkey_enclave_state file, and relies on a Security Domain Secret managed by the cloud authenticator during login.
Who is affected
The potential exposure affects organizations and individuals using synced passkeys through Google Password Manager in Chrome. The issue is indirect but meaningful for users whose authentication depends on the cloud authenticator architecture described in the research rather than a passkey model locked to a single physical device.
Why CISOs should care
This matters because the reported design places substantial trust in a remote cloud authenticator that performs sensitive cryptographic operations during passkey logins. For CISOs, the relevance is that the architecture concentrates authentication authority in a cloud-side component that researchers said could become a target for compromise or impersonation.
3 practical actions
- Audit enrolled device trust: Review Google account device enrollments and authentication records for unexpected additions or unusual access patterns tied to passkey use.
- Differentiate passkey deployment models: Distinguish between cloud-synced passkeys and device-bound authenticators when assessing authentication architecture for sensitive environments.
- Use hardware keys for high-sensitivity access: Consider FIDO2-compliant hardware security keys for privileged or high-sensitivity accounts where cloud-synced passkeys may not match your risk tolerance.
For more coverage of newly disclosed security flaws and systemic exposure risks, explore our reporting under the Vulnerabilities tag.
