It derives all keypairs from a passphrase, and rederives the private key from the key handle, similar to "stateless" hardware authenticators.
Please don't use it for anything important – it's a fundamentally bad idea, similar to "brain wallets"; I only implemented it to figure out whether it was possible, and to improve my own understanding of the WebAuthN and FIDO specifications.
If you then purchased passkeys that supported a custom seed, you could then replicate this seed to as many keys as you needed.
There are always security tradeoffs, but this was a mechanism to store something in the real world that had about 115 bits of entropy, as 'Something you know'
The problem is that most humans aren't capable of remembering high-entropy passwords, and are even worse entropy sources.
Most password managers and passkey implementations solve that problem by either requiring additional entropy (such as 1Password's "secret key") and/or rate limiting retrieval attempts using some zero knowledge based PAKE server-side (i.e. you can only retrieve the encrypted database if you can prove knowledge of the password, and attempts are rate limited).
My project does neither, so unless your passphrase is very high entropy, this approach is not secure. (And if it is high entropy – where are you storing that in turn?)
Shameless plug: Here's one that is "something you know" :) https://github.com/lxgr/brainchain
It derives all keypairs from a passphrase, and rederives the private key from the key handle, similar to "stateless" hardware authenticators.
Please don't use it for anything important – it's a fundamentally bad idea, similar to "brain wallets"; I only implemented it to figure out whether it was possible, and to improve my own understanding of the WebAuthN and FIDO specifications.