Passkeys

What is a Passkey?

Passkeys are a passwordless authentication credential based on FIDO2 and WebAuthn standards that sync across a user's devices through platform cloud services like iCloud Keychain or Google Password Manager. They use public-key cryptography to provide phishing-resistant authentication without requiring users to remember passwords or carry physical security keys. The user authenticates locally with a biometric (fingerprint or face scan) or device PIN, which unlocks the private key stored on the device.

Passkeys represent the industry's most significant push toward eliminating passwords entirely. Unlike traditional FIDO2 security keys that are bound to a single hardware device, passkeys are designed for everyday consumer use by synchronizing across all devices in a user's ecosystem. If you lose your phone, your passkeys are recoverable from your cloud account.

Apple, Google, and Microsoft jointly announced passkey support in 2022 through the FIDO Alliance, and by 2025, passkeys are supported natively in iOS, Android, macOS, Windows, and Chrome. Major services including Google, Amazon, PayPal, GitHub, and WhatsApp have rolled out passkey login, marking a turning point in the long effort to move beyond passwords.

How Passkeys Work

Passkey authentication relies on asymmetric (public-key) cryptography:

• Registration -- When a user creates a passkey for a website, the device generates a unique public-private key pair. The public key is sent to the server and stored. The private key remains on the device, protected by the platform's secure enclave or TPM.
• Sync to cloud -- The private key is encrypted and synced to the user's cloud account (iCloud Keychain, Google Password Manager, or a third-party password manager like 1Password). This makes the passkey available on all the user's devices.
• Authentication -- When the user signs in, the server sends a cryptographic challenge. The device prompts the user for biometric verification or device PIN.
• Challenge response -- Upon local verification, the device signs the challenge with the private key and returns the signed response to the server.
• Server verification -- The server verifies the signature using the stored public key. If valid, the user is authenticated.

Because the private key never leaves the user's device ecosystem and the server never sees it, passkeys are inherently resistant to phishing, credential stuffing, and server-side breaches.

// Simplified WebAuthn registration (browser API)
const credential = await navigator.credentials.create({
  publicKey: {
    challenge: serverChallenge,
    rp: { name: "Example Corp" },
    user: { id: userId, name: "user@example.com", displayName: "User" },
    pubKeyCredParams: [{ alg: -7, type: "public-key" }],
    authenticatorSelection: { residentKey: "required" }
  }
});

Passkeys in Practice

Apple integrated passkeys into iOS 16 and macOS Ventura, syncing them through iCloud Keychain. Google followed with passkey support in Android and Chrome, synced via Google Password Manager. Password managers like 1Password, Dashlane, and Bitwarden now support storing and syncing passkeys cross-platform, bridging the gap between ecosystems.

For relying parties (websites and apps), implementing passkeys means adopting the WebAuthn API on the frontend and supporting FIDO2 server-side libraries. Services like Auth0, Okta, and Passage provide passkey support as part of their authentication SDKs, reducing implementation complexity.

Enterprise adoption is growing but lags consumer deployment. Organizations use passkeys alongside SSO and MFA policies, often allowing passkeys as a primary authenticator that satisfies multi-factor requirements in a single gesture -- the device is "something you have" and the biometric is "something you are."

Common Misconceptions

"Passkeys are just another name for FIDO2 security keys." Passkeys are built on FIDO2/WebAuthn, but the critical difference is synchronization. Traditional FIDO2 keys are hardware-bound (one device). Passkeys sync across devices via cloud services, making them practical for mainstream consumer use without dedicated hardware. "If my phone is stolen, my passkeys are compromised." Passkeys require biometric or PIN verification on the device to use. An attacker with a stolen phone cannot access the passkeys without also bypassing the device's biometric lock. Cloud-synced passkeys are further protected by the cloud account's own authentication. "Passkeys only work within a single platform ecosystem." While early implementations were ecosystem-specific, cross-platform support has matured significantly. QR-code-based cross-device authentication allows using a passkey on an Android phone to sign into a website on a Windows PC. Third-party password managers that support passkeys also work across platforms.

Key Standards & RFCs

• W3C Web Authentication (WebAuthn) Level 2/3 -- The browser API standard that passkeys are built on, defining how web applications create and use public-key credentials.
• FIDO2 CTAP 2.2 -- The Client to Authenticator Protocol enabling communication between browsers/platforms and authenticators, including support for synced credentials.
• FIDO Alliance Multi-Device FIDO Credentials -- The specification defining how passkeys sync across devices securely.
• NIST SP 800-63B -- Classifies passkeys at AAL2 (Authenticator Assurance Level 2) when device binding and biometric verification are combined.

Frequently Asked Questions

What are Passkeys?

Passkeys are phishing-resistant, passwordless login credentials that use public-key cryptography and sync across your devices through cloud services, replacing passwords with biometric or PIN-based authentication.

How do Passkeys work?

When you create a passkey, your device generates a key pair. The private key stays on your device (synced through your cloud account), and the public key goes to the website. To sign in, you verify with a biometric or PIN, and the device signs a challenge that the server verifies.

What are Passkeys used for?

Passkeys are used to sign into websites and apps without a password, providing a faster and more secure login experience that resists phishing and credential theft.

What are the benefits of Passkeys?

Passkeys eliminate password memorization, resist phishing attacks, prevent credential stuffing, sync across devices for convenience, and satisfy multi-factor authentication requirements in a single step.

Passkeys vs Passwords?

Passwords are shared secrets that can be phished, reused, and leaked in breaches. Passkeys use public-key cryptography where the secret never leaves the device, making them immune to these attack vectors while also being faster and more convenient to use.