What Is a Passkey? Definition, Types and Implementation.
Explore passkeys, the digital credentials that are used as an authentication method for a website or application in WebAuthn.
What Is a Passkey?#
A passkey is a digital credential that is used as an authentication method for a website or application. Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:
- Registration During registration the key pair is generated which is verified via the user’s biometrics (e.g. Face ID or Touch ID). The public key is sent to the server and linked to the website / app. The private key is stored safely on your device and referred to as a passkey.
- Login To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).
Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (first factor) and the user’s biometric verification (second factor) are needed. To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.
Key Takeaways#
- A passkey is a digital credential used for user authentication on websites or applications, eliminating the need for passwords.
- Passkeys replace passwords and allow users to login with only their biometrics.
- They are a secure and convenient form of passwordless authentication.
- Technical Backbone: Passkeys are rooted in FIDO2 / WebAuthn technology, enabling devices to store private keys and generate signatures for authentication against a website or app.
- Cross-platform Functionality: They can be shared between nearby devices across different platforms using QR codes and Bluetooth, facilitating easy logins even on borrowed devices.
- Big Tech Adoption: Major tech giants like Apple, Google, and Microsoft back passkeys, with implementation on popular platforms like PayPal, eBay, and Kayak.
- High Security: Unlike passwords, passkeys are safeguarded against common threats like phishing and data breaches, owing to the local storage of private keys and the cryptographic challenge-response protocol they employ.
Passkey FAQs#
How Do Passkeys Enhance Security?#
- Passkeys significantly boost security by employing a two-factor authentication involving a device and biometric verification. Additionally, the cryptographic protocol ensures that critical data like the private key and biometric details never leave the device.
- Moreover passkeys are bound to the domain (Relying Party ID) they were created for, which prevents phishing
Passkeys vs. WebAuthn? What is the Difference?#
- While WebAuthn lays down the protocol for utilizing private keys for authentication, passkeys are a specific implementation of this protocol, tailored for easy user interaction and broad application, especially among non-technical users.
Where can I use Passkeys?#
- Passkeys are adopted by various big tech companies and are applicable on platforms like PayPal, eBay, and Kayak. Their implementation is set to expand as more organizations recognize the security and convenience benefits.
Can Passkeys Be Used on Other People’s Devices?#
- Yes, passkeys can be utilized on other nearby devices by scanning a QR code, allowing for a seamless login experience even on borrowed devices.
How Do Passkeys Compare to Traditional Passwords?#
- Passkeys outshine traditional passwords by offering enhanced security through cryptographic protocols and ease of use through biometric authentication, thus mitigating common issues associated with password-based systems.
Are Passkeys Considered the Future of Authentication?#
- Given their robust security framework and ease of use, Passkeys are indeed seen as a the new standard in digital authentication, aligning with the FIDO Alliance's vision of passwordless authentication.
What Are Some Potential Drawbacks of Using Passkeys for Authentication?#
- Requiring hardware like cameras or fingerprint readers, and the complexity of cross-device flows are some challenges. However, managed passkey solutions (e.g. Corbado) are addressing these hurdles to ensure a smooth user experience.
Are my Passkeys safe?#
- Yes. The private key of a passkey is saved locally on your device and is never used or stored by online services in the registration / login process. Within your device, they can only be accessed with your biometrics or your PIN, so only you can access them.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
Related Articles
