In today's digital age, where everything is online, login credentials hold significant value for every user. Usernames and passwords have been the go-to for website security for decades, but with increased technological advancements, multiple alternatives have emerged. One such alternative is passkeys. You may have heard about it as a mechanism for passwordless authentication, but what exactly is a passkey? How does it work, and how is it secure? In this guide, we will discuss everything you need to know about passkeys.
What is a Passkey?
A passkey is a random code that one uses when logging into an account. Passkeys do not require any special characters or numbers to be secure, but they do require a specific length of time to be secure. Passkeys can be either time-based or event-based, and the way they are generated and tracked depends on the implementation.
More recently, passkeys are tied to biometric authentication where the user identity is confirmed through unique biological characteristics such as fingerprints or face recognition. Biometric passkeys leverage device-native features like TouchID, FaceID, and Windows Hello.
The FIDO Alliance, an industry consortium dedicated to promoting secure authentication methods, has developed the FIDO2 and WebAuthn standards to support this type of biometric authentication. These standards offer a secure, interoperable solution to replace passwords. With passkey authentication, users can enjoy a more convenient and secure way to authenticate their identity, while reducing the risk of unauthorized access to their accounts.
Table of Contents
What is the difference between a passkey and a password?
A passkey and a password are both authentication mechanisms used to secure access to private information.
Usernames are unique identifiers chosen by the user while passwords are typically a combination of letters, numbers, and symbols that are kept secret. When logging in with a username and password, the user enters their credentials into a login form, and the website verifies that the username and password match the ones stored in its database. But since each website or application requires a unique password, studies have shown that many users re-use passwords across multiple sites. Because passwords can be discovered, they open you up to security vulnerabilities like phishing attacks.
Passkeys, on the other hand, are generated and managed by a device such as a smartphone or a security key and are used in conjunction with biometric authentication methods such as fingerprints (Touch ID) or facial recognition (FaceID). Webauthn passkeys are considered more secure than passwords because they are unique to each user and device, and they cannot be easily intercepted or guessed by attackers. Unlike passwords, passkeys cannot be stolen in a data breach because they are never transmitted over the internet.
Another advantage of passkeys is that they are easier to use than passwords. Users do not have to memorize a complex combination of characters but instead rely on their device to authenticate them. Passkeys are also resistant to phishing attacks because they are verified by the device, not the website.
How do passkeys work?
Passkeys are generated randomly and stored on the user's device. When logging into an account that requires a passkey, the user presents the passkey, which is then verified by the server. The server compares the passkey to stored templates and checks if it's valid. If it is, the user is authorized to log in. The only time the server has access to the passkey is during authentication.
The cryptography behind webauthn passkeys is based on public-key cryptography, which uses a pair of keys: a private key and a public key. The private key is kept secret by the user and is used to sign messages or data, while the public key is shared publicly and is used to verify the signature.
When a user registers a webauthn passkey, the device generates a new keypair and stores the private key securely within the device's hardware. The public key is then sent to the website or online service, which stores it along with the user's account information.
To authenticate with a webauthn passkey, the user simply needs to connect their device to the website or online service and perform a biometric authentication, such as a fingerprint or facial recognition. The device then signs a unique challenge generated by the website using the private key, and sends the signed message back to the website. The website then verifies the signature using the public key stored on its database, and grants access if the signature is valid.
How safe are passkeys?
Passkeys are secure due the fact that they are tied to biometric factors and the fact that they are not reusable. Passkeys are primarily used for single sign-on purposes, meaning a user can log in to multiple websites with a single passkey. However, each website will have a specific passkey, which ensures that if one website is hacked, the hacker cannot use that same passkey to log into other websites that use the same passkey generation system. In case a passkey gets stolen, it will only grant access to the specific account it's linked to and not any other account.
The downsides of using passkeys
There are a few downsides to using passkeys that have been identified. First, passkeys are device-specific. So if auser register a passkey to an account with their Apple laptop using TouchID and then try to log in to their account on their iPhone using biometric Face ID, it will not work. They will need to set up individual passkeys for each device. Syncing functionality has yet to be widely available, but many password managers and operating systems may eventually support passkey syncing.
The second downside of using passkeys is that most websites and apps do not support passkeys yet. This too will change in the future as support is spreading. For now, only some sites and services support the security feature. If you are a developer looking to implement passkeys for your application, check out our passkey and Webauthn developer resources below.
The third downside is that if a user loses access to a device, they could have trouble recovering their account access. Most sites support account recovery options if a password has been forgotten. But similar functionality has not been provided for passkeys and this may involve providing IDs or other forms of identity legitimation.
How do you set up a passkey?
To create a passkey, the process may vary depending on the device or service you are using. However, in general, here are the steps to follow:
- Go to the settings or security section of your device or service.
- Look for an option to set up a passkey.
- If you are using a security key for webauthn passkeys, the process may involve registering the key with your device or service. You may also need to set up biometric authentication methods such as fingerprints or facial recognition to use the passkey.
- Confirm the passkey and save the changes.
Set up a passkey in Apple
To set up a passkey on your Mac, make sure you have iCloud Keychain set up. When you see the option to save a passkey for the account, choose how you want to sign in:
- Touch ID on your Mac: Place your finger on the Touch ID sensor.
- Scan a QR code with your iPhone or iPad: Click Other Options.
- External security key: Click Other Options.
What devices support passkeys?
Most modern browsers and devices support passkeys. This includes most Apple devices running macOS or iOS 16+ (Mac, Macbook, iPad, iPhone) that have Touch ID or Face ID capabilities Microsoft devices that have Windows Hello enabled, and Android devices. Additionally, browsers and operating systems like Chrome, Firefox, and Safari offer passkey support. And Google now supports passkeys meaning any user with a Google account can now log in with passkey to their Google applications. Some password managers like 1Password have indicated that support for passkey storage is coming.
Here is a full list of which devices support passkeys.
Developer perspectives
Developers can implement passkeys using in-house resources and open libraries or by leveraging a third-party service. In-house implementations can require more time and resources but have the advantage of providing more customized solutions and control for specific use cases. Third-party services, on the other hand, offer pre-built biometric authentication solutions and can work as a plug-and-play service, with the added security benefits of a third-party audit.
Here are our top WebAuthn resources for developers to read:
- WebAuthn.wtf - a community-maintained website about the standard and it’s implementation steps
- Authentication With WebAuthn & Passkeys - a technical guide on how to implement WebAuthn with a 3rd party service (FusionAuth)
- Authenticators, Ceremonies, and WebAuthn
Conclusion
Passwords are a fragile way of securing user accounts, prone to hacking and cracking. Passkeys provide a passwordless experience, without sacrificing security. Passkeys work by using a randomly generated code that's unique to each account and requires permission from the server to authenticate.
They also provide the added benefit of being a one-stop solution for various accounts while maintaining individual security. Developers can find various options when it comes to implementation, either in-house or third-party solutions. Passkeys are the future of logins and are an excellent alternative to passwords.
