Rubik’s Cube as a Physical Passkey: FIDO2-Compatible CubeAuthn Demo

TL;DR

Researchers describe CubeAuthn, a proof-of-concept system that uses a Rubik’s Cube’s physical configuration as a deterministic seed to generate on-demand FIDO2-compatible credentials. The system is implemented as a browser extension that can authenticate to WebAuthn-enabled sites by reading the cube’s state.

What happened

At the 2025 International Conference on Machine Learning and Cybernetics, authors James Arnott and Li Zhang presented a paper describing CubeAuthn, a novel authentication approach that treats a Rubik’s Cube’s physical arrangement as part of a digital key. The system reads a cube’s specific configuration — one of roughly 43 quintillion possible states — and derives a deterministic cryptographic seed from that physical state. That seed is then used to generate FIDO2-compatible credentials on demand rather than relying on stored tokens. The team implemented a browser extension to demonstrate logging into WebAuthn-enabled sites using the cube-derived keypair. The paper, published by IEEE and added to IEEE Xplore in December 2025, outlines the system design and includes discussion of limitations and future work.

Why it matters

• Shifts credential material from stored tokens to a physical object's state, altering the threat model for key storage.
• Offers a possible FIDO2/WebAuthn-compatible authentication pathway that relies on a tangible, user-held artifact.
• Could lower dependence on separate hardware tokens if the concept proves practical and reliable.
• Raises questions about usability and recovery models for authentication tied to physical object configurations.

Key facts

• Paper title: From Puzzle to Passkey: Physical Authentication Through Rubik’s Cube Scrambles.
• Authors: James Arnott and Li Zhang; presented at the 2025 International Conference on Machine Learning and Cybernetics (ICMLC).
• Core idea: use a Rubik’s Cube’s specific arrangement (one of ~43 quintillion states) as a deterministic seed to generate cryptographic keypairs.
• System generates FIDO2-compatible credentials on demand instead of storing credentials in a token.
• Proof-of-concept named CubeAuthn implemented as a browser extension for authenticating to WebAuthn-enabled websites.
• Publisher: IEEE; document added to IEEE Xplore on 15 December 2025; DOI: 10.1109/ICMLC66258.2025.11280260.
• Paper contains sections on system design, related work, discussion and limitations, and future work.

What to watch next

• Security and robustness of cube-state capture and key derivation processes — not confirmed in the source.
• Real-world usability studies and user recovery methods for authentication tied to a physical puzzle — not confirmed in the source.
• Integration and interoperability testing with broader FIDO2/WebAuthn deployments — not confirmed in the source.

Quick glossary

• FIDO2: An industry standard that enables passwordless authentication using public-key cryptography and interoperable authenticators.
• WebAuthn: A W3C standard API that allows web applications to use public-key credentials for strong authentication in browsers.
• Cryptographic seed: An initial piece of entropy or input from which cryptographic keys or keypairs can be deterministically derived.
• Hardware security key: A physical device that stores or generates cryptographic credentials used to authenticate a user to services.

Reader FAQ

Does the system replace stored credentials with the cube's configuration?
According to the paper, CubeAuthn generates credentials on demand from the cube's physical state rather than relying on stored tokens.

Is CubeAuthn compatible with existing web authentication standards?
The authors state the system produces FIDO2-compatible credentials and the proof-of-concept authenticates to WebAuthn-enabled sites.

Has the system been tested in real-world deployments?
not confirmed in the source

Who authored and published the work?
James Arnott and Li Zhang; published by IEEE and presented at the 2025 ICMLC conference.

Conferences >2025 International Conference… From Puzzle to Passkey: Physical Authentication Through Rubik’s Cube Scrambles Publisher: IEEE Cite This PDF James Arnott; Li Zhang All Authors 6 Full Text Views Abstract…

Sources

• My first paper: A practical implementation of Rubiks cube based passkeys
• FIDO2 / Passkeys Authentication Demo

Related posts

• Researchers show IBM’s coding agent Bob can be tricked into running malware
• Grok Is Generating Graphic Sexual Content, Including Apparent Minors
• Notion AI flaw saves unapproved edits, enabling data exfiltration