Passkeys: an Overview

Passkeys are a new kind of login credentials that entirely replace passwords.

Passkeys are more secure than passwords, easy to use, and are gaining widespread adoption. As of April 2024, major tech companies like Apple, Google, and Microsoft rolled out support for passkeys across their platforms. Major browsers and over a hundred websites are also onboard. Moreover, leading password managers like 1Password and Bitwarden are shifting toward using passkeys. 

If you haven't yet experienced passkeys firsthand, expect to encounter them soon. Here's what you need to know about this new authentication method.

Terminology 

Let’s start with a brief overview of the terminology associated with passkeys. 

FIDO (Fast IDentity Online): a set of open, standardized authentication protocols created by the FIDO Alliance. FIDO protocols use public key cryptography techniques and local authentication methods to enable passwordless logins. The latest FIDO2 specification includes Web Authentication (WebAuthn) and FIDO Client to Authenticator Protocol (CTAP).  

Public Key Cryptography (or Asymmetric Cryptography): a cryptographic system that relies on asymmetric key pairs. A key pair consists of two corresponding keys–public and private–that are mathematically linked. The public key can be openly shared, while the private key should be kept confidential. Key pairs can be used for signing and verification or encryption and decryption. Asymmetric cryptography is fundamental to modern Internet security and underpins widely used protocols such as SSH and HTTPS/TLS.

Web Authentication API (WebAuthn): a specification and a standard API that lets web servers register and authenticate users via public key cryptography. WebAuthn is the underlying protocol for passkeys. 

Passkey: a credential that allows users to prove their identity during authentication. Passkeys are formally defined by a set of technical specifications: FIDO2 and WebAuthn. The core building block of the passkeys infrastructure is a public-private key pair called FIDO credentials. Passkeys can live exclusively on a user’s device or be cloud-synced within the platform they were created with.

What are passkeys? 

A passkey is essentially a digital token saved on your device (PC, smartphone, security key, etc.). Unlike a password, a passkey isn’t something you have to type or remember. 

The main element of a passkey is a cryptographic private key of an asymmetric key pair: It will be generated and stored securely on your device. To log in with a passkey, you won’t be typing a password. Instead, you'll use whatever method you’re already using to unlock your device: a fingerprint, facial recognition, a PIN, or a pattern. This proves your identity. Once your device is unlocked, it will automatically access the private key and use it for authentication. You won’t see the private key and don’t need to know it. Authentication happens quietly in the background when your device uses the private key to sign a cryptographic challenge. We’ll see how this works further down. 

To reiterate: The private key behind your passkey lives on the device where it was generated. In certain cases, your operating system, cloud service, or password manager may cloud sync this passkey to your other devices. Passkey sync providers like iCloud Keychain and Google Password Manager use end-to-end encryption to keep your private keys confidential.

How do passkeys replace passwords? 

Passkeys eliminate the reliance on shared secrets, which is at the core of traditional password authentication. Instead, they leverage a unique mathematical relationship between the two keys of an asymmetric key pair.

The user’s device generates the two keys simultaneously, and the user then shares the public key with the online service at the time of registration. Sharing the public key does not compromise the security of the user identity: It's public information that can be shared without risk. The private key, on the other hand, is kept confidential. To authenticate, the user must demonstrate that they have the corresponding private key of the original key pair. 

A key pair is not tied to any specific individual, and any person can generate one on their device. But the two keys are cryptographically linked, so that the public key can only verify the data signed with the matching private key. This special relationship between the two keys is what lets passkeys replace passwords in authentication flows.

WebAuthn: How does it work under the hood?

Let’s take a closer look at the underlying WebAuthn protocol and the mechanics of how passkeys are generated and used.

WebAuthn is a browser API that allows applications to create and use passkeys for sign-in. It involves three main actors: the Relying Party, the Client, and the Authenticator. 

• The Relying Party (RP) is a website (or a web server) the user is authenticating with. 
• The Client is a web browser or operating system used to access the Relying Party.
• The Authenticator is a hardware secure element or cryptographic authenticator the user can interact with. Authenticators allow asymmetric key pairs to be generated and stored.

WebAuthn outlines two ceremonies to enable logins: registration and authentication.

Registration

As with traditional password-based authentication, the user will have to register with the online service (Relying Party, RP) when trying to access it for the first time.

The process is as follows:

1. The user establishes a connection with the RP. 
2. The user’s device generates a new pair of asymmetric keys specifically for that RP.
3. The device associates the private key with the RP's id and domain and stores it in a secure location (e.g. Windows Credential Manager or iPhone Keychain).
4. The public key is shared with the RP, which stores the user’s id and public key together. This ensures that the public key is uniquely tied to the user.

Authentication

The next time the user logs in, the RP will send a cryptographic challenge to the user. The user must respond by signing the challenge with the private key associated with this RP. 

Here’s how it works:

1. The user initiates the login process.
2. The RP generates a cryptographic challenge (typically a large random number) and sends it to the user.
3. The user verifies their identity through their preferred device-based method, such as a biometric or a PIN code. This step grants access to the private key stored on their device (the authenticator).
4. The private key is used to sign the RP’s cryptographic challenge.
5. The signed challenge is sent back to the RP.
6. The RP verifies the signature using the public key associated with the user.

A successfully verified signature ensures the integrity of the message and confirms that it hasn’t been tampered with.

This process proves that the user who signed the message is the owner of the private key.

The user never directly interacts with the private key. Instead, they simply access the private key stored on their device by providing their biometric data or PIN.

How do authenticators work?

Passkeys don’t require you to use a smartphone every time you log in. You can create a separate passkey on each device you use (e.g. a laptop, PC, or tablet). Some platforms offer passkey backup and synchronization across the user's devices.

It’s also possible to create a passkey on one device but use a different device to log in. Say you’re using a Windows laptop to log in to an account that your iPhone created the original passkey for. In this case, your iPhone simply needs to be physically close to your Windows laptop. During authentication, this will be verified via Bluetooth or by scanning a QR code.

In summary, authenticators come in two types:

• Platform authenticators are built directly into a device or are software components operating on it (e.g. Google Password Manager or Apple iCloud Keychain). 
• Roaming authenticators can be used on devices other than the one the user is authenticating on. If an authenticator is built into a device but enables other devices to access a service, it's a roaming authenticator. Security keys and smartphones (when used with another device) are roaming authenticators.

Why are passkeys better than passwords?

Passwords create certain problems for both end-users and developers. Passkeys, by design, solve many of them: 

1. No more easy-to-guess passwords: Passkeys are generated automatically using a secure algorithm with randomized parameters. As a result, the risk of dictionary-based attacks due to weak passwords is eliminated. 
   
   
2. More secure storage: The private element of a passkey is securely stored in a trusted authenticator so the vulnerability associated with inadequate storage practices on the client side is eliminated. Passwords are no longer stored in insecure locations like post-it notes or mobile phone contact lists.
   
   
3. Unique password for each site (no credential reuse): Different passkeys are automatically created for different websites. This eliminates the risk of password reuse, reduces susceptibility to credential stuffing, and mitigates the impact of compromised credentials.
   
   
4. No secrets sent over the Internet: Passkeys rely on sending a signed challenge—not the actual private key—to the website during login. The private key stays safely on the user’s device without any risk of interception in travel.
   
   
5. No more minimum password criteria: With passkeys, there’s no longer a need for complex arbitrary requirements on e.g. password length or character sets.
   
   
6. Improved database security: The private element of a passkey is never stored in server databases. This eliminates the risk of inadequate storage practices or potential database breaches. (Although websites will still need to secure the rest of the data they collect.)
   
   
7. The end to phishing: Passkeys prevent phishing attempts by eliminating the need to enter passwords on a website. Also, since all credentials are associated with a particular web service—a key pair registered at example.com cannot be used at evil-example.com—your device should recognize a phishing website as fake. In fact, because the domain is different, the fake phishing site will not even show the passkey prompt in the first place.

What do passkeys mean for Single-Sign-On and OpenID Connect?

Passkeys introduce a new way to authenticate a user but don’t change the way developers manage the resulting authentication session. Once the Relying Party has authenticated the user, it can generate the authentication cookie or a JWT, just as it did with password-based authentication.

Therefore, passkey and SSO can seamlessly coexist, and it’s still possible to use one account to access multiple applications. Similarly, passkeys can coexist with OpenID Connect or OAuth 2.0: After a passkey-based authentication, the identity provider or authorization server may issue the required tokens as usual.

Summary

Passkeys represent a step forward in authentication methods compared to traditional passwords. They offer a rare combination of security and convenience and address many shortcomings of traditional password-based authentication. The user experience with passkeys is fast, smooth, and convenient.

There has been an unprecedented level of cooperation and forward momentum in the industry in implementing passkeys. This doesn’t mean that passwords will disappear in the near future: They will likely remain an alternative method for signing into accounts for a while. 

But the shift to passwordless logins has already started.