Credential Manager Trust Group Keys: WebAuthn Extension

This article discusses Credential Manager Trust Group Key (CMTG), a WebAuthn extension proposal in early draft stage. As of October 2025:

• CMTG Explainer published
• Extension name: credentialManagerTrustGroupKey
• No browser has implemented this feature
• Specification subject to significant changes
• Implementation timeline uncertain

This article explains the problem CMTG aims to solve. We're monitoring the proposal and will update as it evolves.

Passkeys have transformed authentication - faster, more secure, and password-free. But as passkeys sync across devices, a critical challenge emerged: how can websites trust that a laptop using a synced passkey really belongs to the same person who created it on their phone?

When you create a passkey on your phone and later use it on your laptop, websites face uncertainty. Did your laptop gain access through legitimate sync, or through a compromised account? Traditional solutions force additional verification steps, defeating passkey convenience.

The WebAuthn Working Group has been exploring solutions to this problem. The latest proposal is Credential Manager Trust Group Key (CMTG) - a WebAuthn extension that would enable credential managers (like iCloud Keychain, Google Password Manager) to establish trust groups of devices that have proven non-remote connections.

Previous attempts (devicePubKey, supplementalPubKeys) failed due to complexity and lack of adoption. CMTG represents the latest attempt to solve this longstanding problem.

This article explains:

1. The fundamental device trust problem
2. Why previous solutions failed
3. How CMTG proposes to address this
4. Current status and what this means

Understanding this problem is more important than any specific solution - the problem persists regardless of whether CMTG succeeds or fails.

When passkeys sync across devices, websites face a dilemma: how can they verify the laptop using your passkey is really yours and not an attacker who compromised your account?

Example: You create a passkey on your iPhone for your bank. Later, you access your account from your MacBook. The passkey syncs automatically through iCloud Keychain - convenient for you, but uncertain for the bank. Is this MacBook owned by the same person who created the passkey?

Maximum Security: Require users to verify each device individually (SMS codes, push notifications, biometric checks). This maximizes security but eliminates the seamless experience that makes passkeys valuable.

Convenience-First: Trust synced passkeys completely, accepting some risk. Works for certain industries but often unsuitable for banking or healthcare.

This creates practical problems:

• Limited adoption: Banks and healthcare organizations hesitate to embrace synced passkeys due to regulatory requirements
• Inconsistent experiences: Users face different security requirements across websites
• Compliance complications: Regulated industries struggle to meet PSD2 Strong Customer Authentication while maintaining passkey convenience
• Conservative policies: IT departments implement overly restrictive policies, reducing passkey adoption benefits

The all-or-nothing approach forces organizations to choose between security and user experience, limiting passkey potential.

The WebAuthn community has attempted to solve this problem before. Each failure reveals why this is so difficult and explains the cautious approach with CMTG.

Each proposal failed due to similar challenges: implementation complexity, lack of browser and provider support, unclear value propositions, and regulatory uncertainty. CMTG must demonstrate it can overcome these obstacles where previous attempts could not.

CMTG is a proposed WebAuthn extension that enables credential managers to signal anti-phishing measures applied during device sign-in. When a user authenticates, credential managers (like iCloud Keychain or Google Password Manager) can establish trust groups of devices that have demonstrated strong, non-remote connections—such as physical proximity verification via FIDO Cross-Device Authentication (Bluetooth/NFC) or phishing-resistant eSIM verification. During authentication, websites can request a "trust group key"; if the same key was seen before, it indicates this device belongs to the same trust group as a previously verified device, allowing websites to make better security decisions without forcing users through extra verification steps. The approach is privacy-preserving (websites only learn about trust group membership, not device specifics) and shifts complexity to credential managers rather than individual websites. However, this remains an early-stage draft with no browser implementation, and like previous proposals (devicePubKey, supplementalPubKeys), CMTG must overcome significant challenges: implementation complexity, browser and provider support, regulatory acceptance, and demonstrating clear value to justify adoption.

CMTG (Credential Manager Trust Group Key) represents the latest attempt to solve the longstanding challenge of trusting synced passkeys across devices.

1. The Persistent Challenge: How can websites trust synced passkeys across devices without forcing extra verification? This problem exists regardless of which proposal succeeds or fails.

2. History of Attempts: devicePubKey failed. supplementalPubKeys failed. Each iteration learns from previous failures, but CMTG faces similar hurdles: implementation complexity, industry alignment, regulatory acceptance.

3. CMTG's Approach: Credential managers establish "trust groups" of devices with proven non-remote connections. The credentialManagerTrustGroupKey extension would let websites query trust group membership without revealing device-specific details.

4. What Organizations Should Do: Focus on proven technology. Achieve high passkey adoption with current, stable WebAuthn. Build flexible architectures that can adapt when (if) new standards emerge.

We're monitoring CMTG's progress and will update this article as the proposal evolves. The WebAuthn Working Group continues discussions on the CMTG explainer.

What's clear: The device trust problem won't disappear. Whether CMTG becomes the solution, gets renamed again, or gets replaced by something entirely different, organizations need strong passkey foundations today.

What's uncertain: Everything else. Browser implementation, industry adoption, regulatory acceptance, timeline - all unknown.

Best approach: Build on proven technology using ratified WebAuthn standards. Let future standards like CMTG be a bonus when (and if) they materialize, not a dependency.