Join our upcoming Webinar on Passkeys for Australian Enterprises

Why is Bluetooth used if it doesn’t transmit the passkey?

Vincent Delitz

Vincent

Created: February 3, 2025

Updated: April 30, 2025

webauthn-passkey-qr-code

Read the full article

Explore how passkeys leverage QR codes and Bluetooth for cross-platform authentication to have seamless, secure logins across devices without passwords.

Read the full article

Read by 5,000+ security leaders.


Why Is Bluetooth Used If It Doesn’t Transmit the Passkey?#

In passkey authentication, Bluetooth is used in certain authentication flows, such as cloud-assisted Bluetooth Low Energy (caBLE), but it does not transmit the actual passkey. Instead, it serves a crucial role in ensuring that the two devices involved in authentication are physically close before proceeding with secure cryptographic operations.

The Role of Bluetooth in Passkey Authentication#

  • Proximity Verification: Bluetooth allows the authentication process to confirm that the two devices (the one requesting authentication and the one holding the passkey) are physically near each other. This prevents remote phishing attacks or unauthorized login attempts from distant locations.
  • Mitigating Man-in-the-Middle (MitM) Attacks: Because Bluetooth ensures proximity, it reduces the likelihood of a MitM attack, where an attacker intercepts the authentication request over the internet.
  • Session Establishment: Bluetooth acts as a triggering mechanism for establishing a secure session. Once proximity is verified, the actual authentication data exchange happens over an encrypted internet connection, rather than being sent directly over Bluetooth.
Substack Icon

Subscribe to our Passkeys Substack for the latest news.

Subscribe

How Does Authentication Work Without Bluetooth Transmitting the Passkey?#

  • The private key of the passkey never leaves the secure storage of the authenticating device.
  • The device holding the passkey cryptographically signs a challenge from the server.
  • The signed challenge is then sent over a secure internet connection, not over Bluetooth.

Does Bluetooth Always Have to Be Enabled?#

Not necessarily. Some authentication methods, such as QR code scanning, allow for passkey authentication without requiring Bluetooth. However, caBLE (cloud-assisted Bluetooth Low Energy) is a preferred method in certain implementations to streamline the user experience while maintaining security.

Key Takeaway#

Bluetooth in passkey authentication is not used for data transfer but as a security layer to confirm physical proximity. This enhances security without compromising the integrity of the cryptographic authentication process.

Read the full article#

webauthn-passkey-qr-code

Read the full article

Explore how passkeys leverage QR codes and Bluetooth for cross-platform authentication to have seamless, secure logins across devices without passwords.

Read the full article

Read by 5,000+ security leaders.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.

Start for free

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.

Share this article


LinkedInTwitterFacebook