A passkey is a new way to sign in that works completely without passwords. Passkeys use cryptography to create a unique code, replacing traditional passwords.
- They’re generated on your device and not stored on any server.
- By using the security capabilities of your devices like Touch ID and Face ID, passkeys are far more secure and easier to use than both passwords and all current 2-factor authentication (2FA) methods.
Passkeys vs Traditional 2FA Methods
Passkeys are more secure compared to traditional 2FA methods. They remove passwords, which are susceptible to password-related attacks, are phishing-resistant, and support 2FA by design.
Passkeys: Technical Details
In technical terms, a Passkeys is a Discoverable WebAuthn Credential.
Discoverable means the credential contains information about the user (e.g. a user id) and, therefore, enables an authentication flow that does not require entering a username (or any other information). The user can just click on the “Sign in with a passkey” button and present a passkey to sign in.
WebAuthn is – for the most part – a JavaScript browser API that enables websites to create and use WebAuthn credentials. The WebAuthn API gives websites access to built-in client authenticator technology of the browsers and / or operating systems (e.g. Windows Hello) as well as physical security keys.
Credentials in the WebAuthn context are cryptographic private keys (i.e. the actual secrets that make passkeys so secure). For each private key there exists a matching public key that resides on the server and will be used to check signatures created with the private key. Both keys together are called a key pair. Each passkey is unique and bound to a username and a website or app, meaning a user will have at least as many passkeys as they have accounts, likely even more because there can be multiple passkeys per account (e.g. one passkey on an iPhone and one on a Windows PC, both for the same website and user).
Read more here for how Passkeys work under the hood
Tip: Set up a passkey on devices with different operating systems, like a Windows laptop, Mac, or Android phone. If you store your passkey on Chrome, Cloud/Microsoft/Google Cloud, or a password manager, you can access it from any connected device.