In June 2024, Google teamed up with the FIDO
Alliance to host a passkey hackathon in Tokyo. The
aim was to give participants hands-on experience with passkey development and
prototyping passkeys for real-world products, with Google and FIDO Alliance
staff on hand to provide guidance.
The hackathon saw 9 teams dive into passkeys and the judges selected four most
innovative and impactful projects.
Grand winner: Keio University SFC-RG pkLock team (Keio University)
Keio University’s SFC-RG pkLock team was the only team in this competition to
take on the challenge of combining IoT devices with passkeys and they even
brought a 3D printer.
Their pkLock (pronounced “pic-lock”) aims to solve the common problem of
cumbersome key handover for Airbnb and other private lodging by using passkey
cross-device authentication.
The device they created consists of a QR code display device installed on the
outside of the door and an unlocking device installed on the inside. In addition
to the device, there is a web application that users use for booking and
unlocking. Guests can unlock the door by holding their hand under the QR
code display device in front of the door, reading the displayed QR code with
their mobile phone, and performing passkey authentication (cross-device
authentication).
They also paid particular attention to design a sophisticated device that hosts
would want to install in their accommodations. Their comprehensive approach,
which also considers the potential widespread adoption of these devices,
resonated strongly with the judges.
During their presentation, they generated much excitement among the audience by
actually unlocking a miniature door they made during the hackathon. For this
demonstration, the device displayed a QR code containing a URL with a one-time
token that directs users to an authentication page. In the future, they plan to
implement hybrid transports on the device to enable direct unlocking. They won
the hackathon for their pioneering efforts in exploring the possibilities of
using passkeys on IoT devices.
FIDO Award 1: SKKN (Waseda University)
SKKN is a research group from Waseda University, specializing in privacy
studies. The team has presented a very advanced use case of passkeys, combining
them with emerging technologies–verifiable credentials
(VC) and zero-knowledge proof.
As the verifiable credentials and zero-knowledge proof are in the spotlight of
self-sovereign identity
and decentralized identity (SSI/DID), their
presentation has attracted great attention from both the hackathon judges and
other participants.
Verifiable credentials (VCs) are digital certificates that prove user
information such as name, affiliation, and address. If the Holder (wallet) that
stores and manages VCs is vulnerable, VCs can be stolen by others, and others
can impersonate the user by presenting the VC. In addition to enabling only the
user who has the FIDO credential to present the VC, they have developed a method
that allows only trusted wallet services to handle VCs.
Their implementation showed several advantages:
- By linking and issuing VCs and FIDO credentials, only the owner of FIDO
can use the VCs. - Only wallets trusted by Issuer and Verifier can be used.
- By using passkeys, VCs and wallets can be backed up and recovered, and
users can recover even if they lose their device.
FIDO Award 2: TOKYU ID (Tokyu)
The URBAN HACKS team, also known as the TOKYU ID team, from Tokyu Corporation,
has been awarded the FIDO Award for their innovative passkey adoption for TOKYU
ID. The Tokyu Group is a large Japanese conglomerate with a wide range of
businesses centered around transportation and urban development.
TOKYU ID is designed to streamline everyday interactions, such as train rides.
Recognizing the critical importance of user experience, the team implemented
passkey sign-in in February 2024, to address potential issues such as missing a
train due to delays in two-factor authentication in digital ticketing services
provided by a web application.
They participated in this hackathon to validate their vision for TOKYU ID.
Their ideal scenario envisions all users registering and logging in with
passkeys, coupled with seamless account recovery. To realize this, they focused
on two key implementations at the hackathon: enabling passkey registration
during the initial membership sign-up process and introducing social login for
account recovery. Uniquely, after recovery through social login, users are only
permitted to register a passkey, underscoring the team’s commitment to a
passkey-centric design. They also integrated FedCM to improve the user
experience in account linking processes.
The TOKYU ID team’s passkey-centric approach demonstrated a deep understanding
of user needs and product requirements. At the hackathon, they successfully
implemented their solution and delivered an interesting presentation, which won
them the FIDO Award. Notably, they integrated Google Sign-In without using the
GIS SDK with just vanilla JavaScript using FedCM!
Google Award: Team Nulab (Nulab)
Nulab is a software company that provides services such
as Backlog, Cacoo and Nulab
Pass. They have multiple two-factor
authentication solutions (security keys, SMS OTP, email OTP, TOTP) and WebAuthn
across their services. Nulab was an early adopter of WebAuthn and
they have fully supported passkeys since October 2023.
They have implemented eight new features:
- A passkeys card
- A passkey introductory content
- Passkey adopter rewards
- Assistance for smooth account recovery
- Sign-in with a passkey button
- Mandatory 2FA for passkey adopters
- Password removal and passkey promotion on credential leaks
- Promote passkeys upon resetting a password
They demoed assistance for smooth account recovery at the hackathon:
The idea was to nudge the user with an additional action when they add a
passkey. If the added passkey is device-bound, recommend the user to add another
passkey from a different password manager. If the added passkey is synced,
recommend the user to remove the password.
They also implemented rewards for users who adopt passkeys with user account
icon highlighting. When the user adopts a device-bound passkey, the icon starts
to circling. When the user adopts a synced passkey, the icon starts to blink.
Since this is an enterprise tool, this motivates users to stand out within the
company by adopting passkeys.
The judges were impressed by their creative ideas to improve their passkey
implementation and in particular how users can recover their account.
More interesting projects
All teams at the hackathon had interesting ideas and here’s a glimpse into
their projects:
- Nikkei ID (Nikkei): Implemented passkeys on top of OpenID Connect,
reducing user friction. - Dentsu Soken (Dentsu Soken): Combined passkeys with Google Sign-In
for seamless user onboarding. - SST-Tech (Secure Sky Technology): Explored passkey emulation for
security assessments. - Ajitei Nekomaru (Keio University): Introduced passkey authentication
to an open-source LMS. - MyLIXIL (LIXIL): Accomplished to implement passkeys as an
authentication method for MyLIXIL.
For more details about each project, check out the full
Tokyo passkeys hackathon report.
Takeaways and the future
Throughout the hackathon, participants shared valuable feedback and questions,
highlighting both the enthusiasm for passkeys and areas for improvement.
These are some of the key takeaways from the hackathon:
- There’s growing interest in combining passkeys with other technologies,
like verifiable credentials and zero-knowledge proofs. - User experience remains a top priority, with teams focusing on making
passkeys even easier to use and adopt. - The hackathon highlighted the potential for passkeys to extend beyond
traditional sign-ins, into areas like IoT and digital identity.
The event was a resounding success, sparking new ideas and collaborations. As
passkeys gain wider adoption, events like this are key to driving innovation and
addressing challenges.
It’s an exciting time for passkeys, and the Tokyo hackathon is proof that
developers are eager to push the boundaries of what’s possible.