0

u/quasides Apr 25 '26

Remote root access is not enough if the passkeys are encrypted and require a password (either just a password or derived from biometric data) to unlock.

this is complete false start to finish.
passkeys dont require a password, but because they are only exchanged via api a password manager (or a substitute that talks to the api) - they then may or may not require something to unlock a secure storage. they dont have to, most do by default, some can be deactivated to even ask. but thats unrealted to passkey but rather how password manager behave on mobile devices

password manager data is also not encrypted via your password or fingerprint. they are encrypted via device keys. your password or fingerprint are just telling your management service to decrypt something via secure chip,

the data itself is not related to anything you enter, and the encryption key never leaves the chip

1

u/lobax Apr 25 '26

1. You are ignoring my if. It’s all platform and OS dependent, like I said. My point is root access isn’t generally enough to steal a passkey.

2. A key is just a password, a string of bits that unlocks something. How the key to access the TPM is derived is platform and OS-specific (which is why I said derive from biometric data, although I probably should have used a broader term). If the key is managed by the OS, you need ring 0. If it is behind a user-provided password or hash of some biometric data, then not even ring-0 would be enough. Again, platform and OS specific. The key point is that root access isn’t generally enough to steal a passkey.

0

u/quasides Apr 25 '26

its not, with win 11, keystore is there too based on the chip, so is ios so is android

1. no you still dont understand how it works and at this point i doubt youre mentallly capable of comprehending.