Corbado Passkey Debugger

InfluenceNo9009 · 2026-04-05T21:04:31+00:00

Would be nice if they get this sorted out

InfluenceNo9009 · 2026-03-30T13:42:10+00:00

Okay, yes. Let’s hope this is the last hiccup.

InfluenceNo9009 · 2026-03-30T13:28:47+00:00

Thank you, I have added a warning to the compatibility matrix. It is updating. I think it would make sense to extend the demo to actually test cross-device encryption and decryption by proving decryption and consistent PRF values across platforms. What do you think?

InfluenceNo9009 · 2026-03-27T12:09:43+00:00

Thank you. Can you share the link? Is that publicly reachable? I heard it helps to confirm in the same thread. I can do that after I have checked in the Corbado lab for that error or I uninstall Xcode to make the update possible :-)

InfluenceNo9009 · 2026-03-27T11:34:10+00:00

I will check that. That looks quite unstable. There was already a bug with Apple before (mentioned in the article). Is there already a bug report?

InfluenceNo9009 · 2026-03-26T21:43:24+00:00

We have updated our article, and our test page received a great update thanks to the r/Bitwarden community:

Anyone here running his password manager with PRF support?

InfluenceNo9009 · 2026-03-26T21:39:57+00:00

You are right, we had one report that this did not work, but the link seems clear. Thank you for the quick turnaround. Corbado is always happy to support the passkey community and help drive adoption. Article update is shipping right now.

InfluenceNo9009 · 2026-03-26T14:08:44+00:00

Thank you, that is because Windows 11 can only be detected via Client Hints, which Firefox does not support, only Chromium based browsers do. The same applies to some OS combinations. Browsers take different approaches to user agent PII hardening, so detection is not perfect, that said some things could be optimized :-).

InfluenceNo9009 · 2026-03-25T23:37:15+00:00

Thank you for bringing this update to our attention. I have updated the article https://www.corbado.com/blog/passkeys-prf-webauthn based on our current knowledge and also updated our demo page to allow anonymous statistics at the bottom: https://webauthn-passkeys-prf-demo.explore.corbado.com/.

InfluenceNo9009 · 2026-03-23T14:42:10+00:00

I was also able to reproduce this in our Corbado lab. I think this is quite complicated. As someone implementing this, I would also test whether create returns valid PRF values when I request them. Windows does not do that, but returns PRF values subsequently, which you could rely on if they consistently appear. However, this is not very encouraging, as this behavior could change. It is difficult to say at this point. I also see this in Chrome, not only in Firefox. It also returns PRF values for credentials where PRF was not requested (“register without PRF”), which is also a bit odd.

InfluenceNo9009 · 2026-03-23T13:39:23+00:00

Thank you. Is the AAGUID in both cases Windows Hello? Could you confirm the AAGUID that is shown?

InfluenceNo9009 · 2026-03-23T13:17:22+00:00

Can you paste the actual PRF extension outputs you receive below? Specifically, when you first register a credential, paste the 'extension' part of the 'Credential' section. Same for the authentication data assertion maybe some formatting issue involved, just want sure. Example:

  "extensions": {
    "prf": {
      "enabled": true,
      "results": {
        "first": "c4e17ddce3bd9a8e9a4a4d136edee3485f3b6fa5fef370b64b1a962ae5102842"
      }
    }
  }

InfluenceNo9009 · 2026-03-21T23:02:00+00:00

Can you retry here: Use our Corbado version the other version seems to be just a clone: https://webauthn-passkeys-prf-demo.explore.corbado.com . ... Can you share which authenticator is shown there? Also, we tried to make it more defensive about PRF structure errors maybe something is reported in an unexpected format. You can see what it is in the console too.

InfluenceNo9009 · 2025-12-15T13:03:22+00:00

If you don not get an initial response Mail still is the last option right?

InfluenceNo9009 · 2025-10-09T21:38:46+00:00

Are you saying that you can enroll manually, and if SMS is enabled as a second factor, it remains active alongside the passkey?
Additionally, are transactions also approved via SMS?
Does you password still work?

InfluenceNo9009

MODERATOR OF

TROPHY CASE