A comprehensive playground to explore and test the WebAuthn PRF (Pseudo-Random Function) extension for passkeys.
The PRF (Pseudo-Random Function) extension is a WebAuthn extension that allows passkeys to generate deterministic cryptographic keys from provided salt values. This enables secure key derivation scenarios, such as:
Checking for existing passkeys...
| Layer | Platform / product | PRF today | Notes |
|---|---|---|---|
| Platform passkeys | iOS 18 / iPadOS 18 | ✅ (full) | Shipped with Safari 18; ASAuthorizationPublicKeyCredentialPrf… APIs now public |
| macOS Sequoia 15.4+ | ✅ (iCloud Keychain passkeys) | Works in Safari 18.4 and Chrome/Edge ≥128 that call the OS APIs. Requires iCloud Keychain to be enabled. External security-key "QR-code" flows still omit PRF | |
| Android 14 + Google Password Manager (Chrome ≥130) | ✅ | Blink's "Intent-to-Ship" covers all six Chromium platforms, incl. Android; depends on updated WebAuthn libs in Play-Services | |
| Windows Hello (Windows 11 24H1) | ❌ | Microsoft has not enabled the PRF code path yet; feature-request thread still open | |
| Roaming security keys | YubiKey 5 series / Bio / Security Key 2 | ✅ | Firmware ≥ 5.2 advertises CTAP2 hmac-secret, which WebAuthn PRF reuses |
| Google Titan M2, Feitian BioPass, Solo V2 | ✅ | All ship with hmac-secret; PRF works in any PRF-aware browser | |
| Browsers | Chrome / Edge desktop ≥ 128 | ✅ (default-on) | First stable version with PRF fully on by default |
| Chrome Android ≥ 130 | ✅ (default-on) | Same Blink code path as desktop | |
| Safari 18.0+ | ✅ (platform credentials) | PRF only returned for platform passkeys; external keys & QR-flows still return undefined | |
| Firefox ≥ 114 | 🟡 | PRF available only when a CTAP-level hardware key (e.g., YubiKey) is used; no platform-passkey PRF yet | |
| Password-manager passkey vaults | 1Password | ✅ on iOS 8.10.74+; 🟡 desktop | iOS build adds PRF-based vault unlock; desktop editions rely on the underlying OS/browser, so PRF works on macOS 15.4+ but not Windows yet |
| Bitwarden (web & browser-ext v2025.2) | ✅ | Uses PRF to decrypt the vault when both the browser and authenticator expose it | |
| Google Password Manager | ✅ | Passkeys synced via Google TPM-backed store expose PRF in Chrome | |
| Dashlane, Proton Pass, Enpass | ❌ | Have announced passkey storage but no PRF roadmap yet |