Business and Enterprise
Protect your company from cybercriminals.Start Free Trial
A passkey is a modern passwordless authentication technology that allows users to log into accounts and apps using a cryptographic key instead of a password. A passkey leverages biometrics (fingerprint, face recognition, etc.) to confirm the user's identity.
Despite having similar names, passkeys are very different from passwords.
A password is a string of characters that users must provide when logging into a website or app, usually in conjunction with a username. To prevent data breaches and account takeovers, NIST recommends that passwords consist of the following:
A passkey is a new authentication technology that uses public key cryptography to enable users to log into websites and apps without having to enter a password. Instead, users authenticate the same way they unlock their phones and tablets: with their fingerprint, face or other biometrics; by using a swipe pattern; or by entering a PIN. For purposes of convenience, most people will opt for biometric authentication.
Instead of creating a password to log into an account, users generate a passkey – which is actually a pair consisting of one private and one public key – using an “authenticator.” This “authenticator” can be a device, like a smartphone or a tablet, a web browser, or a password manager that supports passkey technology.
Before generating a passkey, the authenticator will require that the user identify themselves using a PIN, swipe pattern or biometrics. The authenticator then sends the public key (which is roughly equivalent to a username) to the account web server for storage, and the authenticator securely stores the private key locally. If the authenticator is a smartphone or other device, the private key will be stored in the device keychain. If the authenticator is a password manager, the private key will be stored in the password manager’s encrypted vault.
To create a new passkey, the user signs into their account normally and then enables the passkey option from the security settings screen of the website or app. The website or app then prompts the user to save a passkey associated with their device. The web browser or operating system will then request biometric authentication to approve the request, and the passkey is stored locally.
Subsequent logins to the website will then prompt the user to use a passkey from their device to login, instead of a password. If the web browser supports synchronization of passkeys between devices, the passkey will be available across those devices.
If the user is using a device that doesn't have a passkey for the website or app, they may have the opportunity to use another device. If the browser supports cross-device authentication, the browser may prompt the user with a QR code that can be scanned by a mobile device to complete the sign-in. Cross-device authentication also involves the use of Bluetooth to ensure proximity.
This is what the end user sees. Let’s take a look at what’s going on behind the scenes, at the server level. When an end user attempts to log into their account with a passkey, the account server sends a “challenge” to the authenticator, consisting of a string of data. The authenticator uses the private key to solve the challenge and sends a response back, a process known as “signing” the data and verifying the user’s identity.
Notice that at no time during this process does the account server need to access the user’s private key, which also means that no sensitive information is ever transmitted. This is possible because the public key – which the server stores – is mathematically related to the private key. The server needs only the public key and the signed data to verify that the private key belongs to the user.
Passkeys are more secure than passwords, for numerous reasons:
While passkeys may eventually replace passwords, they won’t replace password managers. Instead, password managers will become even more important. This is because passkeys are tied to an authenticator. Users have a choice as to whether to use a device – usually a smartphone, but a tablet, laptop or desktop could work – or a password manager that supports passkeys.
At first, using a smartphone as an authenticator may seem like the logical option, as most people have their phones with them all the time. However, since most people use multiple devices, this quickly becomes inconvenient. If a user wants to access an account or app on a different device, like their laptop or tablet, they would have to generate a QR code on that device, then scan it with their authenticator, then use their biometrics to finally sign in.
A password manager like Keeper, which will be rolling out support for passkeys in early 2023, will greatly simplify this process by tying the passkey to an application instead of a physical device.
As of this writing, the number of websites and apps that support this technology is still small. Apple, Microsoft, Best Buy, GoDaddy, PayPal, Kayak and eBay are among the major names that support passkeys right now.
However, because of their convenience and security, passkeys are rapidly growing in popularity. Google rolled out passkey support to Chrome stable M108 for Windows, Android and macOS in December 2022, with support for iOS and Chrome OS in the works, as well as a new API set that will bring passkeys support to Android apps.