The term Passkey is a combination of the words password and key. Designed to be a modern, secure successor to passwords and multi-factor authentication, Passkey is based on WebAuthn (Web Authentication API), a standard from the FIDO2 framework.
Passkey is a passwordless authentication method based on the idea of moving from knowledge-based authentication (something you know) to possession-based authentication (something you have).
The process behind this is based on the key pair cryptography of asymmetric encryption and uses the challenge-response method. When a user activates the passkey function for an application or web service, two digital keys are generated. A private key, which must always be kept secret (private), and a public key.
The private key is created in the authenticator, stored securely and is bound to it. Authenticator refers to the user's connected device, which can be a smartphone, tablet, laptop or desktop PC. It can also be a password manager.
The public key is mathematically derived from the private key and, as the name implies, can be made public and sent to the account server.
With each subsequent login, the account server sends a challenge to the user's device in the form of a data packet that must be solved. The challenge runs in the background, unnoticed by the user. The user only needs to unlock the authenticator by removing the device lock. Either by entering a PIN, a swipe pattern, scanning a fingerprint, or using FaceID.
After the authenticator is unlocked, the deleted challenge is automatically signed with the private key and sent back to the account server. The server uses the public key to verify the authenticity of the signature and authenticate the user. The entire process takes a fraction of a second.
And even if the user only actively confirms one factor, the possession factor, by unlocking the device, Passkey still has the knowledge factor in the form of the private key. The calculations for this factor are done in the background.
Disadvantages of Passkeys
No access without the device. That means the authenticator must always be with you. And if it is lost, it can take some work to recover a passkey. Another drawback is that it is often tied to a product or ecosystem, making it difficult for users to use passkeys across platforms. However, if the authenticator is not a device but a password manager, this can at least be avoided.
Advantages of Passkeys
The generated keys are unique and only valid for the account for which they were generated. This means they cannot be used for other accounts/websites, making phishing attacks ineffective. There are also no passwords to forget, which reduces the number of IT requests for password resets. The private key is also securely stored in the authenticator, and even if attackers were to gain access to the public key by hacking an account server, it would be worthless to them.
This means greater convenience and better security than using regular passwords.