Titanium Passkey

Passkeys bound to your device — not replicated to a cloud. Private keys live in the Secure Enclave, gated by Face ID or Touch ID. No account, no sync, no tracking.

Titanium Passkey is an offline FIDO2 / WebAuthn credential provider for iPhone, iPad, and Mac. Every private key lives inside the Secure Enclave and never leaves it. Every sign-in is gated by Face ID or Touch ID, enforced in hardware.

WHY TITANIUM PASSKEY? • Passkeys bound to silicon — never replicated to a vendor cloud you don't control • No account, no sign-up, no subscription — install and use • Works with every passkey-capable site: GitHub, Google, your bank, self-hosted apps • A stolen phone signs nothing — biometric enrollment gates the private key at the hardware level • Zero telemetry, zero analytics, zero tracking SDKs in the binary • Sign in on any desktop — Windows, Mac, Linux, Chromebook. On the browser's passkey prompt, choose "Use a Device Nearby" / "Other Options" and scan the QR code with your iPhone. Your phone stays the authenticator; the desktop never sees your key.

HOW IT WORKS Enable Titanium Passkey under Settings → Passwords → Use Passwords and Passkeys from. When a site requests a passkey, iOS routes the challenge to the extension. The extension wakes, Face ID or Touch ID unlocks the key inside the Secure Enclave, the assertion is signed on-chip, and handed back. You're signed in.

WEBAUTHN SUPPORT • ES256 (COSE -7) over WebAuthn — the baseline every passkey-capable site supports • PRF extension (hmac-secret) for encrypted data binding • Conditional mediation — silently offer passkey sign-in without interrupting the user • Fast authentication — skip the picker when only one passkey matches

STORAGE & KEYS • EC P-256 keys created with kSecAttrTokenIDSecureEnclave — not extractable by the app, iOS, or Apple • Gated by biometryCurrentSet + privateKeyUsage — re-enrolling Face ID invalidates keys • Keychain marked AfterFirstUnlockThisDeviceOnly — excluded from iCloud, iTunes, and Finder backups • Optional multi-device tier for iCloud Keychain sync, off by default, trade-offs explained in-app

PRIVACY • The Credential Provider extension has no network entitlement — it cannot reach the internet • No account, no email, no cloud • No telemetry, no analytics, no ad identifiers • Attestation uses the 'none' format — we don't uniquely identify your device to relying parties • Anonymous crash reports only if you've opted in via iOS Settings

No subscriptions. No in-app purchases. Just passkeys, bound to silicon.