CubeAuthn transforms a Bluetooth-enabled Rubik's cube into a WebAuthn-compatible authenticator by using the cube's physical state to deterministically generate cryptographic keypairs for passkeys.
Note
Check out the demo video to see it in action or get it here on the Chrome Web Store!
Warning
This is a proof-of-concept implementation. Currently only supports the GAN 356 i3 smart cube and this implementation is not secure and cannot be made secur with the current firmware of the GAN365 i3 as it broadcasts weakly encrypted messages, including the cube state, along with other issues which make it not practical for real world use.
Unlike traditional security tokens that store credentials, CubeAuthn uses the cube's physical state (one of 43 quintillion possible configurations) as part of a cryptographic seed. Keys are generated deterministically only during authentication, eliminating persistent credential storage.
- WebAuthn/FIDO2 compatible - works with any passkey-enabled website
- Deterministic key generation from cube state + secret
- No credential storage - keys exist only during authentication
- Optional Chrome sync/local support for secret
- Scramble verification before authentication
CubeAuthn explores a different approach to authentication security:
- No persistent keys: Cryptographic material is generated on-demand and never stored
- Physical dependency: Requires the cube in the exact physical configuration
- Reduced attack surface: No stored keys means no keys to extract via side-channel attacks
- Trade-offs: Bluetooth communication and browser extension architecture introduce their own vulnerabilities
- Architecture: Browser extension built with Plasmo framework
- Cube Interface: Web Bluetooth API for GAN i3 communication
- Cryptography:
- Ed25519 keypairs derived from cube state
- PBKDF2-SHA512 for key derivation
- AES-128 decryption of cube messages
- WebAuthn Integration: Intercepts
navigator.credentialscalls via content script injection - State Encoding: Cube configuration encoded as 64-bit integer using mixed-radix system
- Install from Chrome Web Store
- Connect your GAN 356 i3 cube
- Register cube MAC address
- Set your secret scramble
- Authenticate on any WebAuthn site
Star the repo, submit PRs, and connect on LinkedIn!
@INPROCEEDINGS{11280260,
author={Arnott, James and Zhang, Li},
booktitle={2025 International Conference on Machine Learning and Cybernetics (ICMLC)},
title={From Puzzle to Passkey: Physical Authentication Through Rubik’s Cube Scrambles},
year={2025},
volume={},
number={},
pages={522-527},
keywords={Bluetooth;Authentication;Transforms;Machine learning;Vectors;Browsers;Cryptography;System analysis and design;Standards;Faces;Passkey;FIDO;WebAuthn;Rubik's Cube;Physical Authentication;Deterministic Key Generation},
doi={10.1109/ICMLC66258.2025.11280260}}