Passkeys are the new standard authentication. Many now face the question about implications and how passkey logins can be offered. We gathered the most important information for you below.
Passkeys replace passwords and allow users to login with, e.g. Face ID or Touch ID, instead of coming up with and remembering complex passwords. They are a form of passwordless authentication.
Passkeys are a form of passwordless authentication that replaces traditional passwords, allowing users to securely and conveniently log into their accounts using biometric authentication (e.g. Face ID or Touch ID) or hardware tokens.
Passkeys are important because they provide a more secure and convenient way to log into your accounts. They eliminate the risk of a password-based IT attack.
Passkeys are supported by various companies, such as Microsoft, Google, Apple and can be used on popular websites like Google, eBay and Kayak. Here’s a more detailed overview.
Passkeys are considered the future of authentication, as they offer a more secure and user-friendly alternative to passwords. This is in line with the FIDO Alliance's goal of eliminating passwords altogether.
Using passkeys is a personal decision based on the user's security and convenience preferences. However, as more companies and platforms adopt passkey technology, it probably will become the standard method of authentication in the future.
Yes, passkeys are available now, and lots of companies are already implementing them.
Passkeys are based on FIDO2 / WebAuthn, a capability of operating systems that enables devices to store private keys and generate signatures with them to authenticate against a website or app. From a technical view, this might sound complicated, but for the end user this breaks down to using Face ID or fingerprints on websites and apps instead of passwords.
Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:
During registration the key pair is generated which is verified via the user’s biometrics (e.g. Face ID or Touch ID). The public key is sent to the server and linked to the website / app.
To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).
Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (first factor) and the user’s biometric verification (second factor) are needed.
To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.
Moreover, passkeys are synced inside an ecosystem via an Apple iCloud Keychain, Google Password Manager or Microsoft account. Therefore, they are available on all devices using the same account which prevents the repeated creation of a passkey for each device.
Passkeys comprise a pair of keys, a private one and a public one. The public key is stored on the server of a website or app. The private key is bound to a device, e.g. a smartphone or computer, placed in its secure enclave / trusted platform module (TPM) and also syned to the user’s platform account (e.g. in iCloud Keychain or in Google Password Manger). Thus, passkeys are available on all user devices for sign in.
Integration and general usage
From a user perspective, they are easier to use since most users nowadays are used to access their devices via biometrics (e.g. Face ID or Touch ID). Nevertheless, in the beginning, users needs to be educated how passkeys work. Eventually, passkeys will help make signing up for new accounts easier, since users do not have to create complex passwords and try to remember them. It’s as easy as unlocking your smartphone.
FIDO authentication examples can be found on the FIDO Alliance website or in this demo.
On Apple devices, passkeys can be deleted by going to "Settings" > "Passwords" > selecting the passkey to delete > clicking "Delete password". On Windows devices, you can delete passkeys by going to "Settings" in Chrome > "Password Manager" > "Manage passkeys" > selecting the three-dot-menu of the passkey to delete > clicking "Delete". On Android go to Chrome’s “Settings” > “Passwords”> choose the app/website > click on the trash-icon. Here is a detailed guide.
To create a passkey, you first need to have a device that supports passkey authentication and have passkeys switched on in your security settings. You can then create passkeys on websites and apps that support them.
Passkey authentication is built into iOS 16+, allowing users to easily use passkeys to sign into apps and websites. To use passkeys, you have to have iCloud Sync activated ("Settings" > "Apple ID, iCloud, Media & Purchase“ > “iCloud”> “Passwords and Keychain” > “Sync this iPhone”). Additionally, you must activate Face ID ("Settings" > "Face ID & Passcode“ > "Set up Face ID“).
Windows 10/11 support passkey authentication with “Windows Hello”. To use passkeys on Windows 10/11, go to your "Settings" > “Accounts” > “Sign-Inoptions” > “Scroll to Windows Hello Face and select Set up” > “Get started”. Here is the detailed guide.
On Android devices, passkeys can be used if the device is synced through the Google Password Manager.
Yes, Firefox supports FIDO-based passkeys and WebAuthn.
FIDO-based authentication can be performed on mobile devices that support FIDO-certified authenticators, such as fingerprint sensors (e.g. Touch ID) or facial recognition (e.g. Face ID).
Cross-platform and cross-device
Apple, Google and Microsoft have all announced their full support for passkeys in their operating systems, devices and browsers. Find out more about the roadmap and adoption here.
Passkeys have cross-device and cross-platform capability. They can be shared across platforms and devices via QR codes and Bluetooth. To login from another device, you need to have one of your registered devices nearby. The website / app on your new device will generate a QR code which can be scanned by the user’s phone before verifying it with Face ID or fingerprint to complete the authentication process on the new device.
Passkeys are also backed up securely in the iCloud Keychain and Google Password Manager. If you attempt to log in to the same account on your e.g. Mac, iPhone, iPad and Apple TV – all you need is your Face ID or fingerprint to verify it’s you and access it.
Passkeys are not restricted to devices, browsers or operating systems from one company. Although they are anchored to one company's technology suite, users are able to e.g. bridge out of Apple's world to use passkeys with Microsoft's or Google's, e.g. "Users can sign in on a Google Chrome browser that's running on Microsoft Windows, using a passkey on an Apple device”.
Yes, passkeys stored e.g. on your phone can be used to log onto other nearby devices, like a laptop you're borrowing. The login screen on the borrowed device will have an option to let you scan a QR code with your phone. Bluetooth is used to ensure that the borrowed device and your phone are close by. On your phone you can use Face ID or a fingerprint for authentication.
Yes, passkeys can be shared with other people via AirDrop.
Simplified, passkeys work like a modern cloud-synced password manager (e.g., iCloud Keychain, LastPass or 1Password), just without the passwords.
WebAuthn is a web security protocol developed by the FIDO Alliance. Passkeys are a technology based on this protocol.
Biometrics are a used in passkey authentication to access the private key which is stored inside the user’s device.
FIDO2 is a standard for secure online authentication. Passkeys are an implementation of FIDO2 and is a more common term. Often, passkeys are also a called FIDO multi-device credentials.
A passkey is a way to log into an app or website and can use Touch ID or Face ID during authentication.
There are several alternatives to passwords that provide better security, such as passkeys, Single Sign-Ons (SSO) and Multi-Factor-Authentication (MFA). These methods are more secure because they are harder to circumvent than traditional passwords.
In general, passwords are difficult to use correctly, as they need to be complex, be changed frequently and every website should have a different password. For humans, it is just impossible to cope with these requirements and they tend to use simple and similar passwords for all their accounts.
Even strong passwords are not secure since attacks like phishing can fool people into giving up the most unique passwords.
Passwords also can be leaked if a database gets hacked. This is a serious problem for tech companies that promise to secure customer data.
Passkeys require hardware, such as cameras or fingerprint readers. Also, cross-device flows can be quite tricky (Corbado helps solving it smoothly, though).
Passkeys are far more secure than passwords, as no secret, like a password, is shared between the user and the service. This means that even if a company suffers a data breach, attackers will only see the public key (which is by definition not a secret), but will not have access to the private key.
Big advantage of passkeys is that cyber criminals can’t trick users into sharing a password through a phishing email or fake website since passkeys are linked to the original website / app they were set up for.
On new devices, passkeys are automatically available as they are encrypted, synchronized and backed up.
In case a device with passkeys is lost, a user can still access accounts as passkeys are synced in the respective ecosystem of Apple, Microsoft and Google.
Passkeys are a novel technology. Not many websites or apps have passkeys implemented so far and also a low number of developers have experience with passkeys.
For new developers in this area, it will take weeks or months to get into passkeys and a substantial workload to maintain passkey systems.
Corbado focuses on helping companies bring passkeys to their customers by offering intelligent user transition solutions, an easy integration into existing systems and dealing with cross-device / cross-platform issues.
We provide easy to use web components and APIs that handle the passkey magic for you and let you focus on your core features.
See also Why Corbado? to get more benefits of Corbado's solutions.
Subscribe to stay updated on passkeys.