sergey-lukianov
commented
2 months ago https://pomcor.com/2017/06/02/keys-in-browser/
In the Web Cryptography API, generation of an RSA or ECDSA key pair produces two CryptoKey objects, one containing the private key, the other containing the public key. When the key pair is generated, the private key can be made non-extractable from its CryptoKey object. This means that it cannot later be extracted from the object by JavaScript code embedded in a Web page, even if that Web page has the same origin as the Web page containing the JavaScript code that invoked the key generation procedure. A CryptoKey object is not persistent by itself, and it is not an ordinary JavaScript object that could be encoded as a string for storage in localStorage, but it can be stored in a database accessed through the IndexedDB API.
https://github.com/w3c/webauthn/issues/1595#issuecomment-824313201
https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Large-Blob-Extension
Encrypt localStorage with passkey if available
https://passkeys.dev/device-support/#matrix https://web.dev/articles/passkey-registration