Published: September 9, 2024
In June 2024, Google teamed up with the FIDO Alliance to host a passkey hackathon in Tokyo. The aim was to give participants hands-on experience with passkey development and prototyping passkeys for real-world products, with Google and FIDO Alliance staff on hand to provide guidance.
The hackathon saw 9 teams dive into passkeys and the judges selected four most innovative and impactful projects.
Grand winner: Keio University SFC-RG pkLock team (Keio University)
Keio University's SFC-RG pkLock team was the only team in this competition to take on the challenge of combining IoT devices with passkeys and they even brought a 3D printer.
Their pkLock (pronounced "pic-lock") aims to solve the common problem of cumbersome key handover for Airbnb and other private lodging by using passkey cross-device authentication.
The device they created consists of a QR code display device installed on the outside of the door and an unlocking device installed on the inside. In addition to the device, there is a web application that users use for booking and unlocking. Guests can unlock the door by holding their hand under the QR code display device in front of the door, reading the displayed QR code with their mobile phone, and performing passkey authentication (cross-device authentication).
They also paid particular attention to design a sophisticated device that hosts would want to install in their accommodations. Their comprehensive approach, which also considers the potential widespread adoption of these devices, resonated strongly with the judges.
During their presentation, they generated much excitement among the audience by actually unlocking a miniature door they made during the hackathon. For this demonstration, the device displayed a QR code containing a URL with a one-time token that directs users to an authentication page. In the future, they plan to implement hybrid transports on the device to enable direct unlocking. They won the hackathon for their pioneering efforts in exploring the possibilities of using passkeys on IoT devices.
FIDO Award 1: SKKN (Waseda University)
SKKN is a research group from Waseda University, specializing in privacy studies. The team has presented a very advanced use case of passkeys, combining them with emerging technologies–verifiable credentials (VC) and zero-knowledge proof. As the verifiable credentials and zero-knowledge proof are in the spotlight of self-sovereign identity and decentralized identity (SSI/DID), their presentation has attracted great attention from both the hackathon judges and other participants.
Verifiable credentials (VCs) are digital certificates that prove user information such as name, affiliation, and address. If the Holder (wallet) that stores and manages VCs is vulnerable, VCs can be stolen by others, and others can impersonate the user by presenting the VC. In addition to enabling only the user who has the FIDO credential to present the VC, they have developed a method that allows only trusted wallet services to handle VCs.
Their implementation showed several advantages:
- By linking and issuing VCs and FIDO credentials, only the owner of FIDO can use the VCs.
- Only wallets trusted by Issuer and Verifier can be used.
- By using passkeys, VCs and wallets can be backed up and recovered, and users can recover even if they lose their device.
FIDO Award 2: TOKYU ID (Tokyu)
The URBAN HACKS team, also known as the TOKYU ID team, from Tokyu Corporation, has been awarded the FIDO Award for their innovative passkey adoption for TOKYU ID. The Tokyu Group is a large Japanese conglomerate with a wide range of businesses centered around transportation and urban development.
TOKYU ID is designed to streamline everyday interactions, such as train rides. Recognizing the critical importance of user experience, the team implemented passkey sign-in in February 2024, to address potential issues such as missing a train due to delays in two-factor authentication in digital ticketing services provided by a web application.
They participated in this hackathon to validate their vision for TOKYU ID. Their ideal scenario envisions all users registering and logging in with passkeys, coupled with seamless account recovery. To realize this, they focused on two key implementations at the hackathon: enabling passkey registration during the initial membership sign-up process and introducing social login for account recovery. Uniquely, after recovery through social login, users are only permitted to register a passkey, underscoring the team's commitment to a passkey-centric design. They also integrated FedCM to improve the user experience in account linking processes.
The TOKYU ID team's passkey-centric approach demonstrated a deep understanding of user needs and product requirements. At the hackathon, they successfully implemented their solution and delivered an interesting presentation, which won them the FIDO Award. Notably, they integrated Google Sign-In without using the GIS SDK with just vanilla JavaScript using FedCM!
Google Award: Team Nulab (Nulab)
Nulab is a software company that provides services such as Backlog, Cacoo and Nulab Pass. They have multiple two-factor authentication solutions (security keys, SMS OTP, email OTP, TOTP) and WebAuthn across their services. Nulab was an early adopter of WebAuthn and they have fully supported passkeys since October 2023.
They have implemented eight new features:
- A passkeys card
- A passkey introductory content
- Passkey adopter rewards
- Assistance for smooth account recovery
- Sign-in with a passkey button
- Mandatory 2FA for passkey adopters
- Password removal and passkey promotion on credential leaks
- Promote passkeys upon resetting a password
They demoed assistance for smooth account recovery at the hackathon: The idea was to nudge the user with an additional action when they add a passkey. If the added passkey is device-bound, recommend the user to add another passkey from a different password manager. If the added passkey is synced, recommend the user to remove the password.
They also implemented rewards for users who adopt passkeys with user account icon highlighting. When the user adopts a device-bound passkey, the icon starts to circling. When the user adopts a synced passkey, the icon starts to blink. Since this is an enterprise tool, this motivates users to stand out within the company by adopting passkeys.
The judges were impressed by their creative ideas to improve their passkey implementation and in particular how users can recover their account.
More interesting projects
All teams at the hackathon had interesting ideas and here's a glimpse into their projects:
- Nikkei ID (Nikkei): Implemented passkeys on top of OpenID Connect, reducing user friction.
- Dentsu Soken (Dentsu Soken): Combined passkeys with Google Sign-In for seamless user onboarding.
- SST-Tech (Secure Sky Technology): Explored passkey emulation for security assessments.
- Ajitei Nekomaru (Keio University): Introduced passkey authentication to an open-source LMS.
- MyLIXIL (LIXIL): Accomplished to implement passkeys as an authentication method for MyLIXIL.
For more details about each project, check out the full Tokyo passkeys hackathon report.
Takeaways and the future
Throughout the hackathon, participants shared valuable feedback and questions, highlighting both the enthusiasm for passkeys and areas for improvement. These are some of the key takeaways from the hackathon:
- There's growing interest in combining passkeys with other technologies, like verifiable credentials and zero-knowledge proofs.
- User experience remains a top priority, with teams focusing on making passkeys even easier to use and adopt.
- The hackathon highlighted the potential for passkeys to extend beyond traditional sign-ins, into areas like IoT and digital identity.
The event was a resounding success, sparking new ideas and collaborations. As passkeys gain wider adoption, events like this are key to driving innovation and addressing challenges.
It's an exciting time for passkeys, and the Tokyo hackathon is proof that developers are eager to push the boundaries of what's possible.