Archived· 2025

Passkeys Lab

An interactive lab for auditing passwordless authentication

Passkeys Lab is an interactive tool for seeing how passwordless authentication actually works. Instead of treating WebAuthn/FIDO2 as a black box, it makes the cryptographic handshake visible in real time — every challenge, signature and origin check — so you can watch a passkey login happen step by step. I built it for an IT Security course, but the real goal was my own: to understand a protocol by rebuilding it, not just reading the spec.

The build

The lab runs two modes side by side. In Manual mode, it talks directly to the WebAuthn API and exposes the full protocol — a live "x-ray" trace of the registration and login handshakes as they happen. In Vendor mode, it wires up a commercial passkey provider (Corbado) so you can feel the exact trade-off: convenience versus transparency, buy versus build. On top of that it demonstrates the security properties that make passkeys phishing-resistant — origin binding, single-use challenges, and a signature counter that detects cloned authenticators — each one something you can actually trigger and observe rather than take on faith. It's backed by a Flask app using py_webauthn, with end-to-end Playwright tests running across Windows, Linux and macOS on Python 3.9–3.12.

Highlights

  • Live protocol tracing — watch the WebAuthn cryptographic handshake in real time
  • Build-vs-buy comparison: manual implementation side by side with a commercial vendor (Corbado)
  • Demonstrable phishing resistance: origin binding, replay protection, cloned-authenticator detection
  • Full E2E test suite (Playwright) with CI across 3 operating systems and 3 Python versions
  • Open source (MIT) — free for any use, including commercial

What surprised me

I expected the hard part to be the cryptography. It wasn't — the libraries handle the maths. What surprised me was how much of "security" is really about what you can see. In vendor mode everything just works, but you can't watch any of it; in manual mode it's more work, but every step is visible and auditable. Building both side by side made the real lesson obvious: transparency is a feature, not a cost. You can't trust what you can't inspect — and that trade-off between convenience and visibility is a decision, not an accident.

Related stories