Google Authenticator: The Hidden Mechanisms of Passwordless Authentication

Palo Alto Networks Unit 42 analyzes Google Authenticator’s cloud-based passkey architecture—covering device onboarding, TPM-backed identity and user-verification keys, wrapping keys, the security domain secret (SDS), passkey creation/synchronization, and the Noise-protected WebSocket communication—to show how synced passkeys introduce a new hybrid attack surface that could enable remote device impersonation or passkey compromise; the report documents implementation details and defensive mitigations but does not report observed active exploitation.