What are Passkeys?

Passkeys Definition

Passkeys are the next generation of passwordless authentication, based on FIDO2 and WebAuthn standards. Unlike traditional FIDO2 keys, passkeys can be synchronized between user devices through the cloud (iCloud Keychain, Google Password Manager), solving the access loss problem when a device is lost.

How Do Passkeys Work?

Registration:

1. User creates account
2. Device generates asymmetric key pair
3. Private key stays on device (or in provider’s cloud)
4. Public key goes to the service

Login:

1. Service sends challenge
2. Device signs challenge with private key
3. User authorizes with biometrics or PIN
4. Service verifies signature with public key

Why Are Passkeys Secure?

• Phishing-resistant: Private key never leaves device
• Credential stuffing-resistant: No password to guess
• Breach-resistant: Only public key on server
• Unique per service: Each service has separate key

Passkeys vs Traditional FIDO2

Aspect	FIDO2 Hardware Key	Passkeys
Storage	Hardware key	Device + cloud
Synchronization	None	Between devices
Backup	Complicated	Automatic
Cost	Key purchase	Built into OS

Platform Support

Apple:

• iOS 16+, macOS Ventura+
• iCloud Keychain synchronization
• Face ID/Touch ID support

Google:

• Android 9+
• Google Password Manager
• Chrome on all platforms

Microsoft:

• Windows 11 22H2+
• Microsoft Authenticator
• Windows Hello

Passkeys Implementation

Services implement Passkeys through:

• WebAuthn API in browser
• Platform authenticator API
• Credential Management API

Challenges and Limitations

• Adoption: Still limited service support
• Enterprise: Managing passkeys in organizations
• Cross-platform: Migration between ecosystems
• Shared devices: Not ideal for shared devices

Passkeys are the future of authentication, promoted by FIDO Alliance and Big Tech as a password replacement.

Explore our services

• Penetration testing