FAQ

Passkeys FAQ

Passkeys are the new standard authentication. Many face the question about implications and how passkey logins can be offered. We gathered the most important information for you below.

You can also look up specific keywords and learn more about the terminology in our glossary.

General

What are passkeys?
chevron down

Passkeys replace passwords and allow users to login with, e.g. Face ID or Touch ID, instead of coming up with and remembering complex passwords. They are a form of passwordless authentication.
Learn more about passkeys.

How are passkeys different from traditional passwords?
chevron down

Passkeys are a form of passwordless authentication that replaces traditional passwords, allowing users to securely and conveniently log into their accounts using biometric authentication (e.g. Face ID or Touch ID).

Why are passkeys important?
chevron down

Passkeys are important because they provide a more secure and convenient way to log into your accounts. They eliminate the risk of a password-based IT attack.

What companies and services support passkeys?
chevron down

Passkeys are backed by big tech companies, such as Microsoft, Google, Apple that added passkey support to their devices, operating systems and browser. Passkeys can be used on popular websites like Google, eBay and KAYAK. Here's a more detailed overview.

Are passkeys the future?
chevron down

Passkeys are considered the new standard of authentication, as they offer a more secure and user-friendly alternative to passwords. This is in line with the FIDO Alliance's goal of eliminating passwords altogether. So you can expect more and more websites to support passkeys.

Should I use passkeys?
chevron down

Using passkeys is a personal decision based on the user's security and convenience preferences. However, as more companies and platforms adopt passkeys, it will become the standard method of authentication in the future and passwords will be phased out.

Are passkeys available now and can I use them already?
chevron down

Yes, passkeys are available now, and lots of companies are already implementing them. Here's a detailed overview.

What are security keys?
chevron down

A security key is a physical device (hardware), such as a USB drive, that verifies your identity in order to access specific resources on a network. These keys can be connected to your devices like computers and laptops via USB, Bluetooth, or NFC. Read more about security keys here.

What is the difference between a YubiKey and a passkey?
chevron down

YubiKeys and passkeys have some similarities and differences. They are alike because YubiKeys have had the capacity to generate FIDO2-enabled passkeys since the release of the YubiKey 5 Series in mid-2018.
The key difference between the two lies in their handling of credentials: Platform-created passkeys are synced by default using the credentials of the associated cloud account (and potentially an additional password manager sync passphrase), whereas the credentials in YubiKeys are tied to the physical hardware of the YubiKey, rendering them non-replicable.

What is FIDO2 / WebAuthn?
chevron down

Passkeys are based on FIDO2 / WebAuthn, a capability of operating systems that enables devices to store private keys and generate signatures with them to authenticate against a website or app. From a technical view, this might sound complicated, but for the end user this breaks down to using Face ID or fingerprints on websites and apps instead of passwords.

Functionality

How do passkeys work?
chevron down

Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:

  • Registration
    During registration the key pair is generated by the Authenticator which is verified via the user’s biometrics (e.g. Face ID or Touch ID). The public key is sent to the server and linked to the website / app.

  • Login
    To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).

Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (first factor) and the user’s biometric verification (second factor) are needed.

To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.

Moreover, passkeys are synced inside an ecosystem via an Apple iCloud Keychain, Google Password Manager or Microsoft account. Therefore, they are available on all devices using the same account which prevents the repeated creation of a passkey for each device.
Learn more about passkeys.

Where are passkeys stored?
chevron down

Passkeys comprise a pair of keys, a private one and a public one. The public key is stored on the server of the Relying Party - for example a website or app. The private key is bound to a device, e.g. a smartphone or computer, placed in its secure enclave / trusted platform module (TPM) and also synced to via the user’s platform account (e.g. in iCloud Keychain or in Google Password Manger). Thus, passkeys are available on all user devices for sign in.

Integration and general usage

Are passkeys complicated to use?
chevron down

From a user perspective, they are easier to use than passwords since most users nowadays are used to access their devices via biometrics (e.g. Face ID or Touch ID). Nevertheless, in the beginning of a roll out, users needs to be educated how passkeys work. Eventually, passkeys will help make signing up for new accounts easier, since users do not have to create complex passwords and try to remember them. It’s as easy as unlocking your smartphone.

Where can I find examples of FIDO authentication and do you have a demo I can try?
chevron down

FIDO authentication examples can be found on the FIDO Alliance website or in this demo.

How do I implement passkeys for passwordless authentication?
chevron down

Passkeys can be added into your project following the FIDO docs. If you don’t want to do everything yourself, a passkey provider like Corbado can help.

How do I remove a passkey from my account or device?
chevron down

On Apple devices, passkeys can be deleted by going to "Settings" > "Passwords" > selecting the passkey to delete > clicking "Delete password". On Windows devices, you can delete passkeys by going to "Settings" in Chrome > "Password Manager" > "Manage passkeys" > selecting the three-dot-menu of the passkey to delete > clicking "Delete". On Android go to Chrome’s “Settings” > “Passwords”> choose the app/website > click on the trash-icon. Here is a detailed guide.

How do I create a passkey?
chevron down

To create a passkey, you first need to have a device that supports passkey authentication and have passkeys switched on in your security settings. You can then create passkeys on websites and apps that support them.

How can I use passkeys on iOS 16+?
chevron down

Passkey authentication is built into iOS 16+, allowing users to easily use passkeys to sign into apps and websites. To use passkeys, you have to have iCloud Sync activated ("Settings" > "Apple ID, iCloud, Media & Purchase“ > “iCloud”> “Passwords and Keychain” > “Sync this iPhone”). Additionally, you must activate Face ID ("Settings" > "Face ID & Passcode“ > "Set up Face ID“).

How can I use passkeys on Windows?
chevron down

Windows 10/11 support passkeys with “Windows Hello”. To use passkeys on Windows 10/11, go to  your "Settings" > “Accounts” > “Sign-Inoptions” > “Scroll to Windows Hello Face and select Set up” > “Get started”. Here is the detailed guide.

How can I use passkeys on Android?
chevron down

On Android devices, passkeys can be used if the device is synced through the Google Password Manager.

Does Firefox support FIDO-based passkeys?
chevron down

Yes, Firefox supports FIDO-based passkeys and WebAuthn.

Can I use my phone for FIDO-based authentication with passkeys?
chevron down

FIDO-based authentication can be performed on mobile devices that support FIDO-certified authenticators, such as fingerprint sensors (e.g. Touch ID) or facial recognition (e.g. Face ID).

Cross-platform and cross-device

Which platforms are supported?
chevron down

Apple, Google and Microsoft have all announced their full support for passkeys in their operating systems, devices and browsers. Find out more about the roadmap and adoption here.

Can passkeys be used across platforms?
chevron down

Passkeys have cross-device and cross-platform capability. They can be shared across platforms and devices via QR codes and Bluetooth. To login from another device, you need to have one of your registered devices nearby. The website / app on your new device will generate a QR code which can be scanned by the user’s phone before verifying it with Face ID or fingerprint to complete the authentication process on the new device.
Passkeys are also backed up securely in the iCloud Keychain and Google Password Manager. If you attempt to log in to the same account on your e.g. Mac, iPhone, iPad and Apple TV – all you need is your Face ID or fingerprint to verify it’s you and access it.
Passkeys are not restricted to devices, browsers or operating systems from one company. Although they are anchored to one company's technology suite, users are able to e.g. bridge out of Apple's world to use passkeys with Microsoft's or Google's, e.g. "Users can sign in on a Google Chrome browser that's running on Microsoft Windows, using a passkey on an Apple device”.

Can passkeys be used on other people’s devices?
chevron down

Yes, passkeys stored e.g. on your phone can be used to log in to other nearby devices, like a laptop you're borrowing. The login screen on the borrowed device will have an option to let you scan a QR code with your phone. Bluetooth is used to ensure that the borrowed device and your phone are close by. On your phone you can use Face ID or a fingerprint for authentication.

Can passkeys be shared?
chevron down
How do I sync my platform authenticator?
chevron down

To sync your platform authenticator on Apple devices, you need to enable syncing. On an iPhone, this can be done by switching on the "Syncing Platform Authenticator" found in the "Settings" > "Developer". On Mac, follow these steps: open Safari > go to "Preferences" > click the "Advanced" tab > select "Show Develop menu in menu bar". Once the Develop menu is visible, you can enable the "Develop > Enable Syncing Platform Authenticator" option in Safari.

What is "pairing" with a passkey?
chevron down

"Pairing" with a passkey is a method of transferring a passkey from one device to another. This process relies on two mechanisms: (1) The first device displays a QR code, which is then scanned by the second device. (2) To make sure that the QR code isn't scanned by unauthorized users, a Bluetooth proximity check is performed between the two devices to confirm their proximity.

Differentiations

Are passkeys like a password manager?
chevron down

Simplified, passkeys work like a modern cloud-synced password manager (e.g., iCloud Keychain, LastPass or 1Password), just without the passwords.

How does WebAuthn differ from passkeys?
chevron down

WebAuthn is a web security protocol developed by the FIDO Alliance. Passkeys are a technology based on this protocol.
Read more about WebAuthn and passkeys.

What is the difference between passkeys and biometric authentication (e.g. Face ID or Touch ID)?
chevron down

Biometrics are a used in passkey authentication to access the private key which is stored inside the user’s device.

What is the difference between FIDO2 and passkeys?
chevron down

FIDO2 is a standard for secure online authentication. Passkeys are an implementation of FIDO2 and is a more common term. Often, passkeys are also a called FIDO multi-device credentials.
Read more about FIDO2 and passkeys.

Is Face ID a passkey?
chevron down

A passkey is a way to log into an app or website and can use Touch ID or Face ID during authentication.

Comparisons

What are some better alternatives to passwords for online security?
chevron down

There are several alternatives to passwords that provide better security, such as passkeys, Single Sign-Ons (SSO) and Multi-Factor-Authentication (MFA). These methods are more secure because they are harder to circumvent than traditional passwords.

What are disadvantages of passwords compared to passkeys?
chevron down

In general, passwords are difficult to use correctly, as they need to be complex, be changed frequently and every website should have a different password. For humans, it is just impossible to cope with these requirements and people tend to use simple and similar passwords for all their accounts.
Even strong passwords are not secure since attacks like phishing can fool people into giving up the most unique passwords.
Passwords also can be leaked if a database gets hacked. This is a serious problem for tech companies that promise to secure customer data.

What are some potential drawbacks of using passkeys for authentication?
chevron down

Passkeys require hardware, such as cameras or fingerprint readers. Also, cross-device flows can be quite tricky (Corbado helps solving it smoothly, though).

Security

How secure are passkeys?
chevron down

Passkeys are far more secure than passwords, as no secret, like a password, is shared between the user and the service. This means that even if a company suffers a data breach, attackers will only see the public key (which is by definition not a secret), but will not have access to the private key.
Big advantage of passkeys is that cyber criminals can’t trick users into sharing a password through a phishing email or fake website since passkeys are linked to the original website / app they were set up for.
On new devices, passkeys are automatically available as they are encrypted, synchronized and backed up.

What if a passkey device is lost?
chevron down

In case a device with passkeys is lost, a user can still access accounts as passkeys are synced in the respective ecosystem of Apple, Microsoft and Google.

Corbado

Why do I need Corbado for passkeys?
chevron down

Not many websites or apps have passkeys implemented so far and also a low number of developers have experience with passkeys.
For new developers in this area, it will take weeks or months to get into passkeys and a substantial workload to maintain passkey systems.
Corbado focuses on helping software companies bring passkeys to their users by offering intelligent user transition solutions, an easy integration into existing systems and dealing with cross-device / cross-platform issues.
We provide easy to use web components and APIs that handle the passkey magic for you and let you focus on your core features.
See also Why Corbado? to get more benefits of Corbado's solutions.

Try Corbado now! 

Add passkeys to your app in <1 hour.
Start for free
Corbado solution bullet

No credit card required

Corbado solution bullet

Free community plan

Corbado solution bullet

For new and existing apps