What encryption standards are used in passkey-based auth?

Vincent Delitz

Vincent

Created: January 31, 2025

Updated: January 31, 2025

Do you want to learn more?

Read full blog post

What Encryption Standards Are Used in Passkey-Based Authentication?#

Passkey-based authentication relies on strong cryptographic standards to ensure security, privacy, and phishing resistance. Unlike traditional authentication methods that use passwords, passkeys employ public-key cryptography, which prevents credential theft and brute-force attacks.

encryption standards passkey auth

1. FIDO2 and WebAuthn: The Foundation of Passkey Security#

Passkeys are built on the FIDO2 standard, which includes:

  • WebAuthn (Web Authentication API) – Defines how browsers and applications authenticate users with passkeys.
  • CTAP2 (Client to Authenticator Protocol 2) – Manages secure communication between devices and authenticators (e.g., biometric sensors, security keys).

These protocols ensure that passkeys are cryptographically bound to a user’s device and cannot be intercepted, replayed, or phished.

2. Public-Key Cryptography in Passkeys#

Passkeys use asymmetric cryptographic key pairs, where:

  • The private key is securely stored on the user’s device and never leaves it.
  • The public key is shared with the service (relying party) to verify authentication attempts.

3. Encryption Algorithms Used in Passkeys#

Passkey implementations support multiple cryptographic algorithms, ensuring security and performance:

AlgorithmPurposeStrength
RSA (Rivest-Shamir-Adleman)Public-key cryptography2048-bit (or higher)
ECDSA (Elliptic Curve Digital Signature Algorithm)Digital signatures256-bit curve
EdDSA (Edwards-Curve Digital Signature Algorithm)Faster authentication255-bit or 448-bit curves
SHA-256 (Secure Hash Algorithm 256-bit)Hashing and signing256-bit hash
AES (Advanced Encryption Standard)Secure storage128-bit or 256-bit

These encryption methods make passkeys resistant to brute-force attacks and quantum computing threats (when using post-quantum cryptography enhancements).

Enterprise Icon

Get free passkey whitepaper for enterprises.

Get for free

4. Secure Key Storage: TPMs and Secure Enclaves#

To prevent theft or tampering, passkeys are stored in hardware-backed security modules, such as:

  • TPM (Trusted Platform Module) – A secure chip embedded in devices.
  • Secure Enclaves (Apple, Android, Windows Hello) – Isolated storage that protects cryptographic keys.
  • HSM (Hardware Security Modules) – Used in enterprise-grade authentication solutions.

Because the private key never leaves the secure enclave, attackers cannot extract or steal passkeys remotely.

5. Why Passkey Cryptography Is More Secure Than Passwords#

Unlike traditional passwords, which are vulnerable to phishing, credential stuffing, and database leaks, passkeys:

  • Cannot be phished – The private key is never entered or exposed.
  • Are resistant to brute-force attacks – Even if a public key is known, decryption is infeasible.
  • Eliminate credential reuse risks – Passkeys are unique per service, preventing credential stuffing.

Conclusion#

Passkey-based authentication employs state-of-the-art encryption standards, including public-key cryptography (RSA, ECDSA, EdDSA), secure storage (TPMs, Secure Enclaves), and FIDO2/WebAuthn protocols. This ensures strong, phishing-resistant authentication while maintaining a seamless user experience.

Do you want to learn more?

Read full blog post

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free