What are Passkeys?
Many of us know and use passwords to log in to web services and applications. But almost every day, passwords fall into the wrong hands through phishing and data theft, causing a lot of problems.
The logical next step would be a password-free future.
And that’s exactly where passkeys come in. The term Passkey is a combination of the words password and key. They are designed to be a modern, secure successor to passwords and traditional multi-factor authentication.
Passkeys are a passwordless authentication method based on the idea of moving from knowledge-based authentication (something you know) to possession-based authentication (something you have).
Passkeys are an authentication method created by the FIDO Alliance in collaboration with the W3C (World Wide Web Consortium). FIDO stands for Fast Identity Online, which refers to fast identity verification for digital connections. The alliance was officially founded in February 2013 and now includes numerous international tech companies such as Google, Infineon, Microsoft, PayPal, and, since 2015, the BSI (Germany’s Federal Office for Information Security). The goal is to develop and establish open and license-free industry standards that can be used by all participants. This was already achieved for the passkey technology with the FIDO 2 standard and in combination with the WebAuthn interface.
Passkeys, FIDO 2 and WebAuthn and How They Work Together in the Web
The process behind this is based on the key pair cryptography of asymmetric encryption and uses the challenge-response method. When a user activates the passkey function for an application or web service, two digital keys are generated based on the standard defined by the FIDO 2 framework and exchanged with the WebAuthn (Web Authentication API) interface: A private key, which must always be kept secret (private), and a public key. The private key is created in the authenticator (normally a secure vault on the local device or, stored securely and is bound to it). Authenticator refers to a secure local space on the user’s device, which can be a smartphone, tablet, laptop or desktop PC or a password manager.
The public key is mathematically derived from the private key and, as the name implies, can be made public and sent to the account server of the service the user wants to regularly authenticate themselves with. With each subsequent login, the account server sends a challenge in the form of a data packet to the user’s device that must be solved. The challenge runs in the background, unnoticed by the user. The user only needs to unlock the authenticator by removing the device lock which is done by entering an authentication factor, like PIN, a swipe pattern, scanning a fingerprint, or using facial recognition.
After the authenticator is unlocked, the challenge is automatically signed with the private key and sent back to the account server. The server uses the public key to verify the authenticity of the signature and authenticate the user. The entire process takes a fraction of a second and only can be completed if public and private keys match.
Even though two authentication factors are needed, the user only actively confirms one factor, the possession factor, by unlocking the device. The second factor consists of the Passkey authentication and is based on the knowledge factor in the form of the private key. The cryptographic calculations for this factor are done in the background.
Disadvantages of Passkeys
No access without the device. That means the authenticator must always be with you. And if it is lost, it can take some work to recover a passkey. Another drawback is that it is often tied to a product, platform or ecosystem, making it difficult for users to use passkeys across platforms. This means that the technology does not function across devices using e.g. a Microsoft operated notebook and an Apple based iPhone. However, if the authenticator is not a device but a password manager, this can at least be avoided.
Advantages of Passkeys
The generated keys are unique and only valid for the account for which they were generated. This means that they cannot be used for other accounts/websites, making phishing, brute-force or dictionary attacks ineffective. There are also no passwords to forget, which reduces the number of IT requests for password resets. The private key is also securely stored in the authenticator, and even if attackers were to gain access to the public key by hacking an account server, it would be worthless to them without the private key. Hence, the passkey method is generally more secure than the classical username/Password or other authentication methods.
Finally, the usage of passkey authentication is user-friendly, fast, simple to use technology with the highest security standard also addressing the human factor of forgetting or losing passwords.
Passwordless Authentication with Passkeys, WebAuthn, Biometrics for a Secure Future in the Web
The future will tell how fast and if passkeys become a de-facto standard for user authentication. We can state today that the technology has many advantages compared to established authentication methods like username/password or multi-factor authentication. The FIDO 2 alliance with its many large powerful tech players will try everything to push the WebAuthn interface authentication standard for use by their customers and partners. Together with a variety of biometrics factors or hardware-based authentication solutions passkeys in combination with WebAuthn have the potential to optimally protect us against cyber threats. Nevertheless, the users firstly need to accept this new comfortable way to authenticate themselves which probably will strongly depend on the ability of the ecosystems to become interoperable in between each others.
Note: This glossary was first published in July 2024 and last updated and corrected in April 2025.