Traditional password authentication is inherently vulnerable to phishing and data breaches. Although the industry is moving toward more secure hardware and platform passkeys, these solutions introduce usability challenges. Users must manage physical devices and risk account lockouts if they lose them. Server-side authenticators offer a more user-friendly alternative. They eliminate the strict dependence on specific hardware but require strong protection of cryptographic material in a cloud environment. This thesis proposes and demonstrates an implementation of such a virtual authenticator in Node.js. The solution includes a web extension to intercept standard WebAuthn API calls and route them to the authenticator web service.
This is a thesis project exploring server-side WebAuthn authenticators as an alternative to traditional hardware security keys. It's designed for research and demonstration purposes, not production use.
License: See LICENSE file.
- Node.js 18+
- pnpm package manager for monorepo
- Docker & Docker Compose for PostgreSQL and Key Vault
apps/— Main applicationspackages/— Shared libraries (auth, crypto, database, UI components, etc.)examples/— Example Next.js app with passkeys integration
./docker-compose-test.sh # Start PostgreSQL and Key Vault
pnpm dev --filter '!@repo/nextjs-example'Without browser extension:
./docker-compose-test.sh # Start PostgreSQL and Key Vault
pnpm dev --filter '!@repo/nextjs-example' --filter '!@repo/wxt'pnpm test # All tests
pnpm test:unit # Unit tests
pnpm test:integration # Integration tests
pnpm coverage # Coverage report+---------------------------------------------------------------+
| RELYING PARTY (Web Server) |
+-------------+-------------------------------------------------+
|
| 0. INITIATION (Challenge / Options)
v
+-------------+-------------------------------------------------+
| BROWSER (Web Extension) |
+-------------+-------------------------------------------------+
| | |
| 1. INTERCEPTION (Main World) |
| [ navigator.credentials proxy ] <--- Web App Call |
| | |
| v window.postMessage |
| | |
| 2. USER INTERFACE (Content Script) |
| [ Confirmation DOM and UI ] |
| | |
| v chrome.runtime.sendMessage |
| | |
| 3. NETWORK LAYER (Background Service Worker) |
| [ Fetch API Wrapper ] |
| | |
+-------------+-------------------------------------------------+
|
v HTTPS
|
+-------------+-------------------------------------------------+
| VIRTUAL AUTHENTICATOR HOST (Server) |
+-------------+-------------------------------------------------+
| | |
| 4. GATEWAY |
| [ API Endpoint ] |
| | |
| v |
| | |
| 5. LOGIC CORE |
| [ Virtual Authenticator Agent ] |
| (Validation / CBOR / Parameters / Extensions) |
| | |
| v |
| | |
| 6. STORAGE & CRYPTO |
| [ Virtual Authenticator ] |
| (Key Vault / Signing / Counters / Attestation / Extensions) |
| |
+---------------------------------------------------------------+
+------------------------------------------------------------+
| |
| PostgreSQL (Database) |
| |
+-----------+--------------------------------------+---------+
| |
| |
| |
+----------+---------+ +----------+---------+ +--------------------+
| | | | | |
| Auth service | | API +-------+ Azure Key Vault |
| | | | | |
+----------+-----+---+ +---+------+---------+ +--------------------+
| | | |
| | | |
| | | |
| | | |
Session| --------------------------+-| | JWT
| +-------------------------| | |
| | | |
| | JWT API key| |
| | | |
+----------+-----+---+ +-----+----+---------+ +--------------------+
| | | | | |
| Console BFF | | Public API BFF +-------+ OpenAPI Docs |
| | | | | |
+----------+---------+ +----------+---------+ +--------------------+
| |
| |
Session| |API key
| |
| |
+----------+---------+ +----------+---------+
| | | |
| Console Frontend | | Browser Extension |
| | | |
+--------------------+ +--------------------+
Try the Next.js passkeys example:
cd examples/nextjs && pnpm db:generate && pnpm db:push && pnpm startAvailable at http://localhost:4000.
Environment Variables: Managed with dotenvx for dev/test/production with encryption support for secrets.
- Dev/Test:
.env.development,.env.test(plaintext) - Production:
.env.production(encrypted), decryption key in.env.keys ⚠️ Never commit.env.keysto version control
Key Vault: Uses Azure Key Vault (production) or LowKey Vault (development)
Specifications:
Key Vault:
- Azure Key Vault (production)
- LowKey Vault (development)
Tools & References: