Why is Bluetooth used if it doesn’t transmit the passkey?

In passkey authentication, Bluetooth is used in certain authentication flows, such as cloud-assisted Bluetooth Low Energy (caBLE), but it does not transmit the actual passkey. Instead, it serves a crucial role in ensuring that the two devices involved in authentication are physically close before proceeding with secure cryptographic operations.

• Proximity Verification: Bluetooth allows the authentication process to confirm that the two devices (the one requesting authentication and the one holding the passkey) are physically near each other. This prevents remote phishing attacks or unauthorized login attempts from distant locations.
• Mitigating Man-in-the-Middle (MitM) Attacks: Because Bluetooth ensures proximity, it reduces the likelihood of a MitM attack, where an attacker intercepts the authentication request over the internet.
• Session Establishment: Bluetooth acts as a triggering mechanism for establishing a secure session. Once proximity is verified, the actual authentication data exchange happens over an encrypted internet connection, rather than being sent directly over Bluetooth.

• The private key of the passkey never leaves the secure storage of the authenticating device.
• The device holding the passkey cryptographically signs a challenge from the server.
• The signed challenge is then sent over a secure internet connection, not over Bluetooth.

Not necessarily. Some authentication methods, such as QR code scanning, allow for passkey authentication without requiring Bluetooth. However, caBLE (cloud-assisted Bluetooth Low Energy) is a preferred method in certain implementations to streamline the user experience while maintaining security.

Bluetooth in passkey authentication is not used for data transfer but as a security layer to confirm physical proximity. This enhances security without compromising the integrity of the cryptographic authentication process.