FIDO2 and the WebAuthn standard offer phishing-resistant, public-key based authentication but traditionally rely on device-bound cryptographic keys that are not naturally portable across user devices. Recent passkey deployments address this limitation by enabling multi-device credentials synchronized via platform-specific cloud ecosystems. However, these approaches require users and organizations to trust the corresponding cloud or phone providers with the protection and availability of their authentication material. In parallel, qualified electronic signature (QES) tokens and smart-card--based PKCS#11 modules provide high-assurance, hardware-rooted identity, yet they are not directly compatible with WebAuthn flows. This paper explores architectural options for bridging these technologies by securing a virtual FIDO2 authenticator with a QES-grade PKCS#11 key and enabling encrypted cloud synchronization of FIDO2 private keys. We first present and implement a baseline architecture in which the cloud stores only ciphertext and the decryption capability remains anchored exclusively in the user's hardware token. We then propose a hardened variant that introduces an Oblivious Pseudorandom Function (OPRF)-based mechanism bound to a local user-verification factor, thereby mitigating cross-protocol misuse and ensuring that synchronization keys cannot be repurposed outside the intended FIDO2 semantics; this enhanced design is analyzed but not implemented. Both architectures preserve a pure WebAuthn/FIDO2 interface to relying parties while offering different trust and deployment trade-offs. We provide the system model, threat analysis, implementation of the baseline architecture, and experimental evaluation, followed by a discussion of the hardened variant's security implications for high-assurance authentication deployments.

翻译：FIDO2与WebAuthn标准提供了抗钓鱼攻击、基于公钥的身份验证机制，但传统上依赖于设备绑定的加密密钥，这些密钥无法自然地跨用户设备移植。近期的通行密钥部署通过支持跨平台特定云生态系统同步的多设备凭证，解决了这一限制。然而，这些方法要求用户和组织必须信任相应的云服务或手机提供商，以保障其认证材料的安全性与可用性。与此同时，合格电子签名令牌与基于智能卡的PKCS#11模块提供了高可信度、硬件根植的身份验证方案，但它们与WebAuthn流程并不直接兼容。本文探讨了通过使用QES级PKCS#11密钥保护虚拟FIDO2认证器，并实现FIDO2私钥的加密云同步，以桥接这些技术的架构方案。我们首先提出并实现了一个基础架构，其中云端仅存储密文，而解密能力完全锚定于用户的硬件令牌。随后，我们提出了一种强化变体，该方案引入了一种基于不经意伪随机函数的机制，该机制与本地用户验证因子绑定，从而缓解跨协议滥用风险，并确保同步密钥无法在预设的FIDO2语义之外被挪用；此增强设计经过分析但未实现。两种架构均向依赖方保留纯粹的WebAuthn/FIDO2接口，同时提供了不同的信任与部署权衡。我们提供了系统模型、威胁分析、基础架构的实现及实验评估，并进一步讨论了强化变体在高可信度认证部署中的安全影响。