WebAuthn PRF Demo with Derived Secrets

This demo shows how to deterministically generate a secret key from your passkey, making the cross-device flow easy to understand.

Step 1: Create an Account & Register a Passkey

First, choose a username and register it on one device. This will create a passkey and link it to your Google Account (or other passkey provider).

Step 2: Authenticate and Get the PRF Secret

Use the 'Authenticate' button to log in. The secret key below will be generated from your passkey.

To test on another device:

Open this page on your second device (e.g., your tablet).
Enter the exact same username you registered with.
Click "Authenticate & Generate Secret."
You will see the exact same secret keys appear below!

PRF Secret Key (Base64):

Step 3: Derive Secrets from PRF Output

The raw PRF output is a 32-byte (256-bit) random number. While useful for computers, it's not user-friendly. We can deterministically convert this single source of entropy into various formats. Any device that authenticates with your passkey will generate the exact same secrets below.

⚠️ Security Warning: This is for demonstration purposes only. Displaying raw secret keys and mnemonics is risky. In a real application, these values would be used directly by the client-side code and never shown to the user.

24-Word Recovery Phrase (BIP-39)

This is a standard format for crypto wallet recovery. These 24 words can be used to restore access to a cryptocurrency wallet derived from the PRF secret.

Hexadecimal Representation (64 characters)

This is the raw 32-byte secret, displayed as a hexadecimal string. This format is common in many cryptographic applications.