Why did Paxos invest in Passkeys?

Passkeys are a passwordless authentication method based on public-key cryptography, designed to be more secure and efficient than traditional passwords.

When you create a passkey, a unique key pair is generated: a public key stored on the service and a private key securely stored on your device (e.g., phone, hardware key, or secure enclave).

Authentication requires proving possession of the private key, often via biometrics or device PIN, without ever transmitting it.

Passkeys are more secure because:

• For passwords to work, account servers must store them – or at least their hashes – so they can compare the stored data with the password the user enters. As mentioned in the previous section, passkey technology doesn’t require account servers to store users’ private keys, only their public keys. If the account server is breached, threat actors will access only public keys, which are useless without the accompanying private keys.
• Most people have poor password hygiene. They use passwords that are too short, or contain dictionary words, or biographical information that’s easy to guess. They reuse passwords across multiple sites. And instead of using a password manager, they store their passwords on sticky notes or in unencrypted text files. Passkeys, on the other hand, are generated by the user’s authenticator, so they’re always highly complex and unique to every user and every account, every time.
• Many people also don’t secure their accounts with two-factor authentication (2FA). Passkeys depend on 2FA by design; to use a passkey, an end user must have their authenticator close by, satisfying the criteria of something you are (the biometric) and something you have (the authenticator).
• Unlike passwords, passkeys can’t be compromised in phishing schemes, because it’s impossible to trick a user into entering a passkey on a phony lookalike site, as passkeys are tied to a specific website/application

Because of these advantages, passkeys significantly reduce account takeover risks and improve the user experience.

Further reading:

• https://www.keepersecurity.com/en_GB/resources/glossary/what-is-a-passkey/
• https://www.dashlane.com/blog/what-is-a-passkey-and-how-does-it-work
• https://support.apple.com/en-gb/102195
• https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/