Researcher Implements and Demonstrates Passkeys Functionality on a PHP/JavaScript Test Website

A researcher implements and demonstrates how passkeys work on a test website using PHP and JavaScript. The creation process begins when the client requests the necessary arguments (create args) from the server, including the site ID (relying party), the username, and a unique challenge to prevent replay attacks. The browser then calls navigator.credentials.create(), which communicates with the operating system or the TPM (Trusted Platform Module) to generate a public/private key pair. The returned data includes client data, attestation data with certificates, and the ECDSA public key, which is stored in the server's database. For authentication, the process is similar: the server sends a challenge and a list of authorized credentials, the browser calls navigator.credentials.get(), and the TPM signs the challenge with the private key. The server then verifies the signature, confirming that only the device possessing the private key could have responded. The demonstration shows all the JSON data exchanged between the client and server, revealing the technical complexity hidden behind the simple user interface.