January 6, 2026

Passkeys, but make it spicy

Article URL →HN comments →

PassSeeds – hijacking Passkeys to unlock new cryptographic use cases

Your passkey spawns ‘magic keys’, says ex-Microsoft — hype vs. ‘AI slop’

TLDR: PassSeeds claims your login passkey can safely power other keys and tools by treating its public part as a secret seed. The community is split: fans love the convenience, skeptics say it’s no better than password managers and warn that “secret public keys” and browser extensions could blow it up.

An ex-Microsoft engineer dropped a wild idea: hijack the humble login “passkey” and turn its public key into a secret seed that can spin up all kinds of other keys for things like Bitcoin wallets and fancy math proofs. It’s called PassSeeds, and the pitch is simple: your device already stores and syncs these keys safely, gated by biometrics, so why not use that power beyond logins? The author claims there’s a hidden behavior in passkeys that makes the public part act like a secret if you never expose it. Cue the fireworks.

The crowd split fast. The inventor showed up hyped, while skeptics let it rip. One shot back: “Why not just use a password manager or a YubiKey?” Another said the drawing of “ECDSA recovery” looks like AI slop. A former insider argued that existing WebAuthn add‑ons like PRF and LargeBlob already do this and more, while a purist warned it’s “foolish” to treat a public key like a secret. A security hawk added: a shady browser extension could snatch that “secret” public key. The memes practically wrote themselves: “spicy seeds,” “crypto bros hiding public keys,” and “Passkeys, but make it chaos.” Whether genius hack or kludge, the thread is pure drama, and the WebAuthn nerds are loving the show.

Key Points

  • PassSeeds repurposes passkeys by using the P‑256 public key as deterministic seed material via ECDSA public‑key recovery.
  • Passkeys are origin-scoped WebAuthn credentials stored in secure hardware and synced across devices through end-to-end encrypted platforms.
  • If the public key is never exported and signatures remain within the origin, no API reveals the public key, making it behave like a secret.
  • PassSeeds enables generation of cryptographic keys for use cases beyond standard login, including secp256k1 (Bitcoin) and BLS12‑381 (ZKPs).
  • Initial PassSeed generation involves creating a passkey with navigator.credentials.create() using userVerification: required and origin scoping.

Hottest takes

"Passkeys can be hijacked to serve as cryptographic seed material" — csuwldcat
"How is this any better than just storing the value in a password manager" — josephcsible
"it seems foolish to build a system that relies on the token to essentially be a secure way to store a public key" — blibble

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.