Why is Bluetooth used if it doesn’t transmit the passkey?

Why Is Bluetooth Used If It Doesn’t Transmit the Passkey?#

In passkey authentication, Bluetooth is used in certain authentication flows, such as cloud-assisted Bluetooth Low Energy (caBLE), but it does not transmit the actual passkey. Instead, it serves a crucial role in ensuring that the two devices involved in authentication are physically close before proceeding with secure cryptographic operations.

The Role of Bluetooth in Passkey Authentication#

• Proximity Verification: Bluetooth allows the authentication process to confirm that the two devices (the one requesting authentication and the one holding the passkey) are physically near each other. This prevents remote phishing attacks or unauthorized login attempts from distant locations.
• Mitigating Man-in-the-Middle (MitM) Attacks: Because Bluetooth ensures proximity, it reduces the likelihood of a MitM attack, where an attacker intercepts the authentication request over the internet.
• Session Establishment: Bluetooth acts as a triggering mechanism for establishing a secure session. Once proximity is verified, the actual authentication data exchange happens over an encrypted internet connection, rather than being sent directly over Bluetooth.

How Does Authentication Work Without Bluetooth Transmitting the Passkey?#

• The private key of the passkey never leaves the secure storage of the authenticating device.
• The device holding the passkey cryptographically signs a challenge from the server.
• The signed challenge is then sent over a secure internet connection, not over Bluetooth.

Does Bluetooth Always Have to Be Enabled?#

Not necessarily. Some authentication methods, such as QR code scanning, allow for passkey authentication without requiring Bluetooth. However, caBLE (cloud-assisted Bluetooth Low Energy) is a preferred method in certain implementations to streamline the user experience while maintaining security.

Key Takeaway#

Bluetooth in passkey authentication is not used for data transfer but as a security layer to confirm physical proximity. This enhances security without compromising the integrity of the cryptographic authentication process.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →