Passkeys.Tools is a comprehensive suite of development and debugging tools for WebAuthn/Passkey implementations. These tools enable full emulation of clients (browsers) and authenticators to thoroughly test relying party implementations, security compliance, and edge cases.

Featured Tools:

• Create: Simulates navigator.credentials.create() WebAuthn API calls to test credential registration flows.
• Get: Simulates navigator.credentials.get() for testing authentication flows.
• Attestation: Decode, modify, and encode attestation objects in various formats (like jwt.io for WebAuthn). Load custom keys or store keys in integrated storage.
• Assertion: Decode, modify, and encode assertions. Sign with arbitrary keys from storage or verify existing signatures.
• Keys: Integrated key storage with import/export capabilities. Convert between COSE, JWK, and other formats. Generate new keys with all standardized algorithms and manage credential IDs.
• Users: Manage user accounts across relying parties with RP IDs, usernames, display names, and user IDs. Automatically captures users from registrations.
• Converters: Simple utilities for converting between various encoding formats.
• Interceptor: Requires companion browser extension. Intercepts all WebAuthn operations for modification (like Burp Suite for WebAuthn). Includes built-in security and compliance tests.
• History: Tracks all interceptions and modifications, enabling value swaps across different passkey operations and browsers (i.e., victim and attacker browsers).

Usage Modes:

There are three different ways to use Passkeys.Tools:

• Standalone Testing: The simplest way to use these tools. Everything runs on this website and stays in your browser with no server-side components or browser extensions required. You can create keys that are stored securely in localStorage in your browser and not sent to anyone. Use these keys to manually create attestations, encode/decode existing ones, sign assertions, verify signatures, and test create/get API calls.
• Live Testing: Requires installation of the companion browser extension, which overwrites the WebAuthn APIs in the browser to intercept all API calls and present them in the tool. This allows live capturing and modifications of ongoing WebAuthn operations. History is stored in localStorage - again, nothing is sent server-side. All operations happen locally in your browser.
• Cross-Browser Testing: Required when two browsers are used to simulate WebAuthn operations in victim and attacker browsers simultaneously. Since data needs to be shared across browsers, a backend component is required. In this case, keys, users, and history are stored server-side but protected with a unique key so only you can access the data. Do not use this server-side storage for real production passkeys or private accounts - only for testing. This setup enables scenarios like replacing the challenge in a passkey registration in the attacker browser with a challenge from the victim's browser to test if the challenge is correctly validated.

• Only the None and Packed attestation statement formats are supported.
• In the Packed attestation statement format, the signature and certificates need to be added manually if required.
• Extensions are not automatically parsed but need to be added manually if required.
• Client Extension Processing and Authenticator Extension Processing is not supported.
• To use the Ed25519 algorithm in Chrome, you need to enable the #enable-experimental-web-platform-features flag.