Using a passkey for unattended execution

Question

I'm pretty sure this isn't possible, but I'm going to ask the hive mind. Looking to implement a standards based secure virtual machine credential to use from web based applications that can be automated. I know, a lot to ask

One possibility is Windows Hello - however automating that is hard as it is not allowed to be used whilst connecting to a machine with RDP - this is used by most RPA solution providers for creating sessions. If you can get it working, then it can be authenticated as a platform authenticator.

Passkeys can be created on a different device to the consuming application. However, as I understand it, the user presence check (e.g. BLE or OOB check) is required to ensure that either the user is present, or that the user has approved use of the portable key.

Is there any possible scenario where a passkey credential (or other webauthn credential) can be used by the web credential APIs without user interaction on a separate device (other than a platform authenticator such as Windows Hello)

Answer 1

The protocol that security keys speak (CTAP) permits silent signatures to be requested by setting the up (user presence) flag to false in the request(*). However, this ability is never exposed at the WebAuthn level. So, if you can speak CTAP directly to the security key, you can do it, but you can't do it via browsers.

You could use a browser extension with native messaging to communicate with a local process that either speaks CTAP to a security key, or stores a key locally (e.g. in a TPM).

(*) Some security keys have the alwaysuv feature enabled, in which case that won't work, but that's a minority of security keys.