Passkeys are a form of passwordless authentication that replaces traditional passwords, allowing users to securely and conveniently log into their accounts using biometric authentication (e.g. Face ID or Touch ID).
Passkeys are important because they provide a more secure and convenient way to log into your accounts. They eliminate the risk of a password-based IT attack.
Passkeys are considered the new standard of authentication, as they offer a more secure and user-friendly alternative to passwords. This is in line with the FIDO Alliance's goal of eliminating passwords altogether. So you can expect more and more websites to support passkeys.
Using passkeys is a personal decision based on the user's security and convenience preferences. However, as more companies and platforms adopt passkeys, it will become the standard method of authentication in the future and passwords will be phased out.
A security key is a physical device (hardware), such as a USB drive, that verifies your identity in order to access specific resources on a network. These keys can be connected to your devices like computers and laptops via USB, Bluetooth, or NFC. Read more about security keys here.
YubiKeys and passkeys have some similarities and differences. They are alike because YubiKeys have had the capacity to generate FIDO2-enabled passkeys since the release of the YubiKey 5 Series in mid-2018.
The key difference between the two lies in their handling of credentials: Platform-created passkeys are synced by default using the credentials of the associated cloud account (and potentially an additional password manager sync passphrase), whereas the credentials in YubiKeys are tied to the physical hardware of the YubiKey, rendering them non-replicable.
Passkeys are based on FIDO2 / WebAuthn, a capability of operating systems that enables devices to store private keys and generate signatures with them to authenticate against a website or app. From a technical view, this might sound complicated, but for the end user this breaks down to using Face ID or fingerprints on websites and apps instead of passwords.
Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:
During registration the key pair is generated by the Authenticator which is verified via the user’s biometrics (e.g. Face ID or Touch ID). The public key is sent to the server and linked to the website / app.
To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).
Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (first factor) and the user’s biometric verification (second factor) are needed.
To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.
Moreover, passkeys are synced inside an ecosystem via an Apple iCloud Keychain, Google Password Manager or Microsoft account. Therefore, they are available on all devices using the same account which prevents the repeated creation of a passkey for each device.
Learn more about passkeys.
Passkeys comprise a pair of keys, a private one and a public one. The public key is stored on the server of the Relying Party - for example a website or app. The private key is bound to a device, e.g. a smartphone or computer, placed in its secure enclave / trusted platform module (TPM) and also synced to via the user’s platform account (e.g. in iCloud Keychain or in Google Password Manger). Thus, passkeys are available on all user devices for sign in.
Integration and general usage
From a user perspective, they are easier to use than passwords since most users nowadays are used to access their devices via biometrics (e.g. Face ID or Touch ID). Nevertheless, in the beginning of a roll out, users needs to be educated how passkeys work. Eventually, passkeys will help make signing up for new accounts easier, since users do not have to create complex passwords and try to remember them. It’s as easy as unlocking your smartphone.
On Apple devices, passkeys can be deleted by going to "Settings" > "Passwords" > selecting the passkey to delete > clicking "Delete password". On Windows devices, you can delete passkeys by going to "Settings" in Chrome > "Password Manager" > "Manage passkeys" > selecting the three-dot-menu of the passkey to delete > clicking "Delete". On Android go to Chrome’s “Settings” > “Passwords”> choose the app/website > click on the trash-icon. Here is a detailed guide.
To create a passkey, you first need to have a device that supports passkey authentication and have passkeys switched on in your security settings. You can then create passkeys on websites and apps that support them.
Passkey authentication is built into iOS 16+, allowing users to easily use passkeys to sign into apps and websites. To use passkeys, you have to have iCloud Sync activated ("Settings" > "Apple ID, iCloud, Media & Purchase“ > “iCloud”> “Passwords and Keychain” > “Sync this iPhone”). Additionally, you must activate Face ID ("Settings" > "Face ID & Passcode“ > "Set up Face ID“).
On Android devices, passkeys can be used if the device is synced through the Google Password Manager.
Yes, Firefox supports FIDO-based passkeys and WebAuthn.
FIDO-based authentication can be performed on mobile devices that support FIDO-certified authenticators, such as fingerprint sensors (e.g. Touch ID) or facial recognition (e.g. Face ID).
Cross-platform and cross-device
Apple, Google and Microsoft have all announced their full support for passkeys in their operating systems, devices and browsers. Find out more about the roadmap and adoption here.
Passkeys have cross-device and cross-platform capability. They can be shared across platforms and devices via QR codes and Bluetooth. To login from another device, you need to have one of your registered devices nearby. The website / app on your new device will generate a QR code which can be scanned by the user’s phone before verifying it with Face ID or fingerprint to complete the authentication process on the new device.
Passkeys are also backed up securely in the iCloud Keychain and Google Password Manager. If you attempt to log in to the same account on your e.g. Mac, iPhone, iPad and Apple TV – all you need is your Face ID or fingerprint to verify it’s you and access it.
Passkeys are not restricted to devices, browsers or operating systems from one company. Although they are anchored to one company's technology suite, users are able to e.g. bridge out of Apple's world to use passkeys with Microsoft's or Google's, e.g. "Users can sign in on a Google Chrome browser that's running on Microsoft Windows, using a passkey on an Apple device”.
Yes, passkeys stored e.g. on your phone can be used to log in to other nearby devices, like a laptop you're borrowing. The login screen on the borrowed device will have an option to let you scan a QR code with your phone. Bluetooth is used to ensure that the borrowed device and your phone are close by. On your phone you can use Face ID or a fingerprint for authentication.
Yes, passkeys can be shared with other people via AirDrop.
To sync your platform authenticator on Apple devices, you need to enable syncing. On an iPhone, this can be done by switching on the "Syncing Platform Authenticator" found in the "Settings" > "Developer". On Mac, follow these steps: open Safari > go to "Preferences" > click the "Advanced" tab > select "Show Develop menu in menu bar". Once the Develop menu is visible, you can enable the "Develop > Enable Syncing Platform Authenticator" option in Safari.
"Pairing" with a passkey is a method of transferring a passkey from one device to another. This process relies on two mechanisms: (1) The first device displays a QR code, which is then scanned by the second device. (2) To make sure that the QR code isn't scanned by unauthorized users, a Bluetooth proximity check is performed between the two devices to confirm their proximity.
Simplified, passkeys work like a modern cloud-synced password manager (e.g., iCloud Keychain, LastPass or 1Password), just without the passwords.
Biometrics are a used in passkey authentication to access the private key which is stored inside the user’s device.
A passkey is a way to log into an app or website and can use Touch ID or Face ID during authentication.
In general, passwords are difficult to use correctly, as they need to be complex, be changed frequently and every website should have a different password. For humans, it is just impossible to cope with these requirements and people tend to use simple and similar passwords for all their accounts.
Even strong passwords are not secure since attacks like phishing can fool people into giving up the most unique passwords.
Passwords also can be leaked if a database gets hacked. This is a serious problem for tech companies that promise to secure customer data.
Passkeys require hardware, such as cameras or fingerprint readers. Also, cross-device flows can be quite tricky (Corbado helps solving it smoothly, though).
Passkeys are far more secure than passwords, as no secret, like a password, is shared between the user and the service. This means that even if a company suffers a data breach, attackers will only see the public key (which is by definition not a secret), but will not have access to the private key.
Big advantage of passkeys is that cyber criminals can’t trick users into sharing a password through a phishing email or fake website since passkeys are linked to the original website / app they were set up for.
On new devices, passkeys are automatically available as they are encrypted, synchronized and backed up.
In case a device with passkeys is lost, a user can still access accounts as passkeys are synced in the respective ecosystem of Apple, Microsoft and Google.
Not many websites or apps have passkeys implemented so far and also a low number of developers have experience with passkeys.
For new developers in this area, it will take weeks or months to get into passkeys and a substantial workload to maintain passkey systems.
Corbado focuses on helping software companies bring passkeys to their users by offering intelligent user transition solutions, an easy integration into existing systems and dealing with cross-device / cross-platform issues.
We provide easy to use web components and APIs that handle the passkey magic for you and let you focus on your core features.
See also Why Corbado? to get more benefits of Corbado's solutions.