PASSWORDLESS authentication is examined in depth here as part of Unit 42’s series on passkey adoption, with this post focusing on Google Authenticator and the architecture behind synced passkeys for desktop users. The piece explains that Google’s cloud authenticator handles sensitive cryptographic operations while Chrome still relies on hardware-backed keys on the device, tying sessions to TPM-backed identity and UV keys.
It describes the onboarding flow where two TPM-backed keys are created and a device is registered to a cloud authenticator, which stores hardware-backed public keys and generates a wrapping key used to encrypt secrets such as the SDS and passkey material. It also covers how passkeys are created, encrypted with the SDS, and synchronised across enrolled devices via a security domain, including the use of WebAuthn and a secure Chrome–cloud communications channel built on the Noise Protocol Framework.
The article notes that this is Part 2 of the series, written by Arie Olshtein and published on 23 March 2026, and signals an upcoming third post exploring potential attack vectors in passwordless environments according to Unit 42.