Passkeys FAQ
Passkeys are the new standard authentication. Many developers now face the question about implications and how passkey logins can be offered. We gathered the most important information for you below.
General
Passkeys replace passwords and allow users to login with, e.g. Face ID or Touch ID, instead of coming up with and remembering complex passwords. They are a form of passwordless authentication.
Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:
Registration
During registration the key pair is generated which is verified via the user’s biometrics (e.g. Face ID or Touch ID). The public key is sent to the server and linked to the website / app.Login
To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).
Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (first factor) and the user’s biometric verification (second factor) are needed.
To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.
Moreover, passkeys are synced inside an ecosystem via an Apple iCloud, Google or Microsoft account. Therefore, they are available on all devices using the same account which prevents the repeated creation of a passkey for each device.
Cross-platform and cross-device
Apple, Google and Microsoft have all announced their full support for passkeys in their operating systems, devices and browsers. Find out more about the roadmap and adoption here.
Passkeys have cross-device and cross-platform capability. They can be shared across platforms and devices via QR codes and Bluetooth. To login from another device, you need to have one of your registered devices nearby. The website / app on your new device will generate a QR code which can be scanned by the user’s phone before verifying it with Face ID or fingerprint to complete the authentication process on the new device.
Passkeys are also backed up securely in the iCloud Keychain and Google account. If you attempt to log in to the same account on your e.g. Mac, iPhone, iPad and Apple TV – all you need is your Face ID or fingerprint to verify it’s you and access it.
Passkeys are not restricted to devices, browsers or operating systems from one company. Although they are anchored to one company's technology suite, users are able to bridge out of Apple's world to use passkeys with Microsoft's or Google's, e.g. "Users can sign in on a Google Chrome browser that's running on Microsoft Windows, using a passkey on an Apple device”.
Yes, passkeys stored on your phone can be used to log onto other nearby devices, like a laptop you're borrowing. The login screen on the borrowed device will have an option to let you scan a QR code with your phone. Bluetooth is used to ensure that the borrowed device and your phone are close by. On your phone you can use Face ID or a fingerprint for authentication.
Yes, passkeys can be shared with other people via Airdrop.
Security
Passkeys are far more secure than passwords as no secret, like a password, is shared between the user and the service. This means that even if a company suffers a data breach, attackers will only see the public key (which is by definition not a secret), but will not have access to the private key.
Big advantage of passkeys is that cyber criminals can’t trick users into sharing a password through a phishing email or fake website since passkeys are linked to the original website / app they were set up for.
On new devices, passkeys are automatically available as they are encrypted, synchronized and backed up.
Passkeys comprise a pair of keys, a private one and a public one. The public key is stored on the server of a website or app. The private key is bound to a device, e.g. a smartphone or computer, placed in its secure enclave / trusted platform module (TPM) and also stored to the user’s platform account (e.g. in iCloud Keychain or in Google account). Thus, passkeys are available on all user devices for sign in.
From a user perspective, they are easier to use since most users nowadays are used to access their devices via biometrics (e.g. Face ID or fingerprint). Nevertheless, in the beginning, users needs to be educated how the passkeys work. Eventually, passkeys will help make signing up for new accounts easier, because users do not have to create complex passwords and try to remember them. It’s as easy as unlocking your smartphone.
In case a device with passkeys is lost, a user can still access accounts as passkeys are synced in the respective ecosystem of Apple, Microsoft and Google.
Customer experience
Simplified, passkeys work like a modern cloud-synced password manager (e.g., iCloud Keychain, LastPass or 1Password), just without the passwords.
In general, passwords are difficult to use correctly, as they need to be complex, be changed frequently and every platform should have a different password. For humans it is just impossible to cope with these requirements and they tend to use simple and similar passwords for all their accounts.
Even strong passwords are not secure since attacks like phishing can fool people into giving up the most unique passwords.
Passwords also can be leaked if an entire unencrypted database gets hacked. This is a serious problem for tech companies that promise to secure customer data.
Other
Passkeys are based on FIDO2 / WebAuthn, a capability of operating systems that enables devices to store private keys and generate signatures with them to authenticate against a website or app. From a technical view this might sound complicated, but for the end user this breaks down to using Face ID, fingerprints, or other biometrics on websites and apps instead of passwords.
Passkeys are a novel technology. Not many websites or apps have passkeys implemented so far and also a low number of developers have experience with passkeys.
For new developers in this area, it will take weeks or months to get into passkeys and a substantial workload to maintain passkey systems.
Corbado focuses on helping companies bring passkeys to their customers by offering intelligent user transition solutions, an easy integration into existing systems and dealing with cross-device / cross-platform issues.
We provide easy to use web components and APIs that handle the passkey magic for you and let you focus on your core features.
See also Why Corbado? to get more benefits of Corbado's solutions.
Subscribe to stay updated on passkeys.
Transition guidance
Release announcements
Passkeys know-how