--- url: 'https://www.corbado.com/faq/encryption-standards-passkey-auth' title: 'What encryption standards are used in passkey-based auth?' description: 'authentication uses FIDO2, WebAuthn, and strong public-key cryptography with RSA, ECDSA, and secure enclaves for maximum security.' lang: 'en' --- # What encryption standards are used in passkey-based auth? ## What Encryption Standards Are Used in Passkey-Based Authentication? Passkey-based authentication **relies on strong cryptographic standards** to ensure security, privacy, and [phishing](https://www.corbado.com/glossary/phishing) resistance. Unlike traditional authentication methods that use passwords, passkeys employ **public-key cryptography**, which prevents credential theft and brute-force attacks. ### 1. FIDO2 and WebAuthn: The Foundation of Passkey Security Passkeys are built on the **FIDO2 standard**, which includes: - **WebAuthn (Web Authentication API)** – Defines how browsers and applications authenticate users with passkeys. - **CTAP2 (Client to Authenticator Protocol 2)** – Manages secure communication between devices and [authenticators](https://www.corbado.com/glossary/authenticator) (e.g., biometric sensors, security keys). These protocols ensure that **passkeys are cryptographically bound to a user’s device** and cannot be intercepted, replayed, or phished. ### 2. Public-Key Cryptography in Passkeys Passkeys use **asymmetric cryptographic key pairs**, where: - The **private key** is securely stored on the user’s device and never leaves it. - The **public key** is shared with the service ([relying party](https://www.corbado.com/glossary/relying-party)) to verify authentication attempts. ### 3. Encryption Algorithms Used in Passkeys Passkey implementations support multiple **cryptographic algorithms**, ensuring **security and performance**: | Algorithm | Purpose | Strength | | ------------------------------------------------------ | ----------------------- | ------------------------- | | **RSA (Rivest-Shamir-Adleman)** | Public-key cryptography | 2048-bit (or higher) | | **ECDSA (Elliptic Curve Digital Signature Algorithm)** | Digital signatures | 256-bit curve | | **EdDSA (Edwards-Curve Digital Signature Algorithm)** | Faster authentication | 255-bit or 448-bit curves | | **SHA-256 (Secure Hash Algorithm 256-bit)** | Hashing and signing | 256-bit hash | | **AES (Advanced Encryption Standard)** | Secure storage | 128-bit or 256-bit | These encryption methods make **passkeys resistant to brute-force attacks** and **quantum computing threats** (when using post-quantum cryptography enhancements). ### 4. Secure Key Storage: TPMs and Secure Enclaves To prevent theft or tampering, passkeys are stored in **hardware-backed security modules**, such as: - **TPM (Trusted Platform Module)** – A secure chip embedded in devices. - **Secure Enclaves (Apple, Android, Windows Hello)** – Isolated storage that protects cryptographic keys. - **HSM (Hardware Security Modules)** – Used in enterprise-grade authentication solutions. Because the **private key never leaves the secure enclave**, attackers **cannot extract or steal** passkeys remotely. ### 5. Why Passkey Cryptography Is More Secure Than Passwords Unlike traditional passwords, which are vulnerable to **phishing, credential stuffing, and database leaks**, passkeys: - **Cannot be phished** – The private key is never entered or exposed. - **Are resistant to brute-force attacks** – Even if a public key is known, decryption is infeasible. - **Eliminate credential reuse risks** – Passkeys are unique per service, preventing [credential stuffing](https://www.corbado.com/glossary/credential-stuffing). ## Conclusion Passkey-based authentication employs **state-of-the-art encryption standards**, including **public-key cryptography (RSA, ECDSA, EdDSA), secure storage (TPMs, Secure Enclaves), and FIDO2/WebAuthn protocols**. This ensures **strong, phishing-resistant authentication** while maintaining a seamless user experience. ## Read the full article