What Is a Passkey?
A passkey is an authentication mechanism that uses a possession factor instead of a knowledge factor as the primary authentication credential.
Passkeys are based on FIDO2 (Fast Identity Online 2), an authentication scheme that uses cryptographic keys instead of strong passwords. The keys are created by a FIDO2-compatible device (such as a smartphone, tablet, or desktop computer) and are unique to each passkey-enabled website or app.
Some passkeys are protected by two-factor authentication (2FA) and require a PIN or biometric authentication factor for subsequent sign-ins. In such cases, the end user may not even realize their device is using a passkey as its first authentication factor.
Tier-1 tech vendors like Apple, Microsoft, and Google are promoting passkeys as an easy and effective way to prevent phishing and other types of credential theft.
If widely adopted for multi-factor authentication (MFA), passkeys are also expected to also eliminate the need for password managers.
How Do Passkeys Work?
A passkey uses public-key cryptography to create a secure and private connection between an end user’s computing device and a compatible website or app.
Public-key cryptography uses a public key to encrypt data and a private key to decrypt data. The public key is shared, and the private key is not.
When an end user initially signs into a website or app that supports passkey authentication, their device generates a unique public and private key pair and sends the public key to the website or app’s server. The private key remains on the user’s device.
The next time the user signs in, the website or app sends a challenge to the user’s device. A challenge is a random string of data that is encrypted with the user’s public key.
The user’s device uses its private key to decrypt the challenge and then sends the decrypted string back to the website or app. If the decrypted challenge matches the original challenge sent by the website or app, the user is automatically logged in.
On the backend, FIDO2 passkeys use the Web Authentication (WebAuthn) standard, a set of application programming interfaces (APIs) that supports passwordless authentication.
Advantages of Passkeys
Passkeys are more convenient than passwords because users do not have to create them, remember them, or update them.
They are also more secure than passwords because the private keys are stored locally in an isolated part of the originating device’s operating system that can only be accessed by the device’s processor.
If a compatible website or app server is compromised, only the passkey’s public keys will be exposed.
Given that a classical computer is not able to use a public key to reverse-engineer a private key within a reasonable amount of time, user authentication will remain secure even if the server that stores the public key experiences a major data breach.
Passkeys are often promoted as the best way to discourage spear phishing and whaling attacks because, unlike passwords, they can’t be shared with third parties. Some implementations of passkeys do provide end users with the option of syncing private keys on all their devices, however.
If someone wants to sign in on a new device for the first time or temporarily use someone else’s device to sign into their Google account, for example, they can select the option to “use a passkey from another device” and follow the prompts to either approve a one-time login or store the private key locally on the new device.
Disadvantages of Passkeys
Passkeys are still a relatively new technology, and not all websites and apps support them or implement them the same way.
The biggest issue is that if an end user’s device is lost or stolen, anyone who can unlock the device can use the passkeys that don’t require an additional authentication factor.
In such a scenario, the end user would need to know which keys to revoke manually, or they would need to re-register and create new passkeys for all the compatible websites and apps they use.