What are Passkeys?

A little background on FIDO2 WebAuthn

Passwordless authentication is based on the FIDO2 Web Authentication (WebAuthn) standard, which eliminates the need to enter a password by using private and public key cryptography for secure authentication along with a secondary form of authentication, such as a fingerprint scan, facial recognition, or other biometric authenticator. Push notifications on a mobile authenticator app can also be used, as can one-time passcodes (OTPs) or the device's unlock PIN.

Until now, the widespread use of passwordless has faced some hurdles due to limitations in the portability of WebAuthn, which has been tied to the physical device owned by the user. If the user loses or replaces the device used for passwordless, the new device no longer holds the user credentials (private key) to authenticate, and the user must begin the passwordless process again.

Passkeys, also known as multi-device credentials, eliminate this restriction by allowing the private keys to be stored in a vault in the device vendor's cloud instead of on the device itself. What this means is that you can register one device, such as an iPhone, and, because your identity is connected through the Apple ecosystem, your passkey can also be used with your iPad and MacBook.

Because passkeys remove the reliance on hardware, a user can change devices without having to start over with passwordless. Furthermore, even if a device is lost or stolen, the passkey is stored in the mobile phone's encrypted memory, so the likelihood of it somehow being extracted from the device is slim — and even if it could be, the passkey wouldn't work without the user's biometric or other secondary authentication.

How do passkeys work?

The password is known as a static shared secret, which means that the user knows the secret and so does the server on the other end. That's one problem, because any time something is known, it can be shared, stolen, or phished.

Instead of relying on a shared secret like a password, WebAuthn generates a pair of security keys on the user's device, one is private and the other public. The private key is securely stored on the device and never leaves it, while the public key is shared with the web service.

When using a passkey to sign up for a service or website, such as an online retailer, the user needs a personal device, like a smartphone, that is not shared with others. During registration, the smartphone will create two encrypted keys, which are unique and specific for each service. There is the private key, which remains on the smartphone, and the public key, which is held by the website. These keys are linked together and both keys are required for authentication.

Each time the user attempts a login, the service will pose a "challenge" that only the user will be able to solve with the private key on that user's device. Once this "challenge" is solved, the user proves that they are the owner of the smartphone by putting their finger on the fingerprint reader (or another biometric), or using an OTP or push.

Unlike a traditional password, the user's private key is never shared with a website or service, nor is it stored on their servers.

Why passkeys are far superior to passwords

Besides creating a terrible user experience, the problems with passwords, especially their security weaknesses, are well known. Best practices say that passwords should be long, complex, and unique for every online account and service. But it's difficult to create and remember hundreds of different passwords. So people tend to create simple passwords that they can remember, and they tend to use the same ones for multiple accounts. And they rarely change them, if ever.

The risks with this approach are two-fold. Not only are these passwords easy to crack, but attackers know that if a password works for one account, it is likely to work for many accounts.

Attackers have a range of tools at their disposal for obtaining people's passwords. Some of the traditional approaches, which remain incredibly effective, include phishing, brute-force attacks, credential stuffing, and more. In 2023, the use of generative AI emerged with the potential to crack passwords and develop new methods of attack far faster than humans ever could.

With passkeys, on the other hand, the user doesn't have to remember a password or enter it. The private key is stored on the user's device, and it's retrieved automatically when signing into an account. A copy of the public key is stored with the account provider.

The private key is never shared with the website the user is signing in to. That eliminates the concern of websites storing user credentials, because the public key on its own can't be used to gain access to an account even if it were to be stolen. Public keys can't be used to "decode" a private key. If a website's servers are breached, the best an attacker can hope to find is a public key, which can't be used to sign in to any account and can't be reverse-engineered to reveal the associated private key.

Passkeys are a strong defense against phishing and other social engineering attacks. Criminals will often create fake but seemingly authentic websites to try to trick users into sharing their login credentials. They will also try to exploit users' security fatigue with tactics like MFA prompt bombing, which tries to get users to "accept" an MFA push notification. Passkeys, thanks to the WebAuthn standard, protect users by ensuring that their credentials are never shared.