Passkeys & Privacy: Misconceptions by Users

When talking about passkeys as a new authentication method, common topics that usually come up are improved UX, increased security due to phishing-resistant MFA or compelling cost savings that come from replacement of SMS OTPs and less password / account recovery efforts. However, a rarely discussed topic in passkey authentication is privacy and that is why there are a lot of misconceptions around it. In this blog we are going to answer the following questions related to privacy of passkey authentication:

• How does passkey creation work from a privacy point of view?

• Are passkeys better or worse than passwords for user privacy?

• Which regulations are important when it comes to privacy for authentication?

Passkeys are digital credentials based on the WebAuthentication (WebAuthn) standard, developed by the FIDO Alliance in collaboration with major platform providers like Apple, Google, and Microsoft. They replace traditional passwords with cryptographic key pairs that make login both more secure and more convenient and have always been developed with user privacy in mind. When you register for a website or an app that supports passkeys, the process looks something like this:

1. A unique key pair is generated by your device, with one public key that is stored on the server and one private key that is securely stored on your device.

2. During the login, the app/website sends a challenge to your device which needs to be signed by your device with the private key. To get access to the private key, biometric authentication might be performed.

3. The server then verifies the signature using the public key to complete the process.

In step 2, when signing the challenge, a false impression might arise for the user, that this is sending sensitive (biometric) information to the server because Face ID or Touch ID might have been used. In reality, quite the opposite is the truth: The private key and the biometric information never leaves the user's device. They are just used to sign the challenge locally on the device.

On most modern devices, passkeys are protected by biometric methods like Face ID or Touch ID. These act as the second factor of authentication making passkey technology phishing-resistant 2FA/MFA.

They are used to authorize the use of the private key stored on your device in the hardware security module (secure enclave, TPM or TEE). Biometric data is never part of the passkey itself, instead it is only used to unlock the hardware security module of the device where the private key is stored

• The biometric check happens locally (it’s the same mechanism when unlocking metrics)

• No biometric data is sent to websites or stored by third parties

Passkeys are developed with privacy by design in mind. In fact, privacy is a first-class principle. The protocols and systems that support passkeys are intentionally built to avoid sharing non-relevant user data.

A major privacy concern with social login systems (like Google login, Apple login etc.) is the potential for tracking users across websites.

Over time, this allows for tracking of:

• Which websites you visit

• How long you stay on pages

• What products you look at

Passkeys avoid this entirely making them more private than social logins by creating unique keys for each website or app (relying party).

When stored or synced across devices (e.g. via iCloud Keychain or Google Password Manager), passkeys are end-to-end encrypted.

• Only the user can access them.

• Even the cloud provider (e.g. Apple, Google) cannot use, view, or extract the passkeys.

• Encryption ensures that passkeys remain private even during backup and syncing.

This ensures both security and privacy, even when data is stored remotely in the Keychain/Passwords Manager.

Passkeys are stored:

• Locally on a user’s device and

• Securely backed up to the user’s chosen cloud service (in case of synced passkeys)

In both cases, users retain control over where their credentials are stored. The storage is transparent as users know whether syncing is enabled, and which devices have access.

This makes passkeys a strong fit for users who care about data sovereignty and digital autonomy.

Key Presence Privacy refers to the property of an authentication system, such as those using passkeys or WebAuthn, where the server cannot determine whether a private key exists on a client device until the user actively attempts to authenticate. This is an important protection mechanism that prevents websites from detecting whether a user has passkeys without explicit user consent and ensures servers cannot probe or scan for existing passkeys on a device.

In order to ensure best in class UX regardless, Corbado uses Passkey Intelligence, a smart system that optimizes passkey authentication by making smart decisions about when passkey login should be available to the user. This feature adapts to the users device context and reduces failed authentication attemps for people who might not have a passkey created.

As with any technology, passkeys raise questions and uncertainties for users. Many concerns stem from confusion about how the technology works or assumptions based on past experiences with passwords or biometrics. Especially for passkey rollouts it is important to educate the users to avoid confusions like these:

Misconception: Websites get access to my fingerprint or face data

Actual Truth: No. Biometric data like your fingerprint or facial scan never leaves your personal device. When you use biometrics with a passkey, your device performs a local authentication. If the authentication is successful, the device unlocks a private cryptographic key, which is then used to sign a challenge which is sent back to the server which then authenticates you to the website.

At no point is your biometric information transmitted, stored externally or exposed to the app, website or platform provider.

Biometrics serve only as a gatekeeper for the private key of the passkey and the actual login happens using secure cryptography, not personal data.

Misconception: Passkeys make it easier for companies to track my activity across the web than social login.

Actual Truth: Passkeys are uniquely generated per website or app, meaning each site or app (relying party) gets its own dedicated public-private key pair. There is no shared identifier or key that links your activity between services.

In fact, passkeys are far more private than using federated logins like “Sign in with Google” or “Login with Facebook,” which do create cross-service identifiers

Misconception: If I lose my device, I lose access to everything.

Actual Truth: Losing a device doesn’t mean losing your passkeys.

Passkeys are usually backed up through cloud services like iCloud Keychain (Apple) or Google Password Manager (or other third-party password managers). They are synced via end-to-end encryption, ensuring only you can access them. You will still be able to use your passkey from another device, using the biometrics of that device (or PIN, passcode alternatively).

Misconception: My employer can see and control all my passkeys.

Actual Truth: Personal and work credentials are usually separated. Even if you use a work-managed device, passkeys for personal accounts are stored in a different context, need biometrics to be accessed and cannot be used by your employer. Enterprise device management tools can enforce policies on work-related data but do not grant access to personal biometric data or passkeys.

Misconception: My data is stored on company servers where they can access it anytime.

Actual Truth: Passkeys are stored locally on your device, in a hardware security module (HSM) like the Trusted Platform Module (TPM) on Windows, Trusted Execution Environment on Android or the Secure Enclave on Apple devices. When passkeys are synced, they are stored in your personal cloud account, such as iCloud or Google. These backups are end-to-end encrypted, meaning not even the cloud provider can access your passkeys.

Passkeys are well-suited for several privacy compliance frameworks due to their inherent security features and alignment with modern regulatory standards. Some of the frameworks passkey authentication fulfil are:

• Data Minimization: Passkeys reduce the need for storing sensitive data, such as passwords and even personal identifiers (as they work with technical identifiers), aligning with GDPR's data minimization principle.

• Encryption: Passkeys use public-key cryptography, which supports GDPR's emphasis on encryption

Strong Customer Authentication (SCA): Passkeys meet SCA requirements by providing independent factors of authentication and phishing resistance. Synced passkeys compliance is more nuanced since there is no strict device binding like with non-synced passkeys. Currently there is no explicit ruling from EBA (European Banking Authority) on synced passkeys. Please see our series on passkeys and PSD2 / SCA for more details:

• Device-Bound vs. Synced Passkeys

• Analysis of PSD2 & SCA Requirements

• What SCA Requirements Mean for Passkeys

• PSD3 / PSR Implications for Passkeys

• PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

Data Portability: This aspect is currently not fulfilled however passkeys will support data portability as soon as protocols like Credential Exchange Protocol (CXP) (which is currently in the draft stadium at FIDO Alliance) that is in alliance with CCPA's requirements, will be published.

• Data Minimization: Eliminating the need to store passwords helps passkeys support the CCPA’s objective of minimizing data collection and reducing the risk of exposure.

• Stronger Security: Passkeys rely on cryptographic methods, aligning with the CCPA’s mandate for implementing reasonable security measures to protect consumer data.

• Portability and Access: Built on FIDO2 standards, passkeys enable cross-platform functionality, supporting the CCPA’s provision for data portability and user access.

In order for passkeys to be completely compliant with the CCPA, the Credential Exchange Protocol (CXP) which is currently in draft status has to be published by the FIDO Alliance

Phishing-resistance: Passkeys are recognized by NIST as a phishing-resistant authentication method, aligning with the latest NIST password guidelines:

• Synced Passkeys: Align with Authenticator Assurance Level 2 (AAL2) which requires multi-factor authentication and phishing resistance

• (Device-bound) Passkeys: Align with Authenticator Assurance Level 3 (AAL3) which also requires hardware-based authenticators with non-exportable private keys,

To ensure best-in-class privacy for enterprise customers, Corbado Connect offers the possibility to add passkeys to an existing authentication solution with a few key aspects regarding user data:

1. No permanent storage of Personally Identifiable Information (PII): Once a passkey is created, personal information is not retained. Only a minimum of required data is processed temporarily. Unique technical identifiers are used instead of personal information.

2. Data minimization approach: Corbado Connect only requires essential data like unique identifiers (e.g. hash, UUID, account ID), IP address (temporary, for rate limiting only) and the User agent and / Client Hint information (device management only). All other data remains in your existing systems.

3. Backend integration design: Critical authentication data is kept within your systems maintaining your backend as the primary data store. Existing data governance standards are respected.

4. Privacy-First Architecture: Corbado Connect is GDPR-compliant by design. It works with your current data structures and maintains data sovereignty

In Conclusion to this blog we see that most of the concerns regarding privacy with passkey authentication are not accurate: no personal data is shared, biometrics always stay on-device and there is no tracking across sites. This makes passkey authentication even better than password authentication from a privacy point. We also answered a few other questions in this blog:

• How does passkey creation work from a privacy point of view? Passkey creation generates a unique cryptographic key pair on your device. The private key stays securely on your device, while the public key is sent to the website. No personal or biometric data is shared, ensuring strong privacy.

• Are passkeys better or worse than passwords for user privacy? Passkeys are better for user privacy as they don’t store or transmit personal data, can’t be reused or phished, and prevent tracking across sites thanks to unique key pairs per service.

• Which regulations are important when it comes to authentication privacy? Common frameworks that regulate privacy for authentication include: GDPR, PSD2, NIST Guidelines. Since passkeys offer best-in-class security standards with phishing-resistant MFA they comply with the mentioned frameworks. As soon as the FIDO Alliance releases the Credential Exchange Protocol (CXP), passkeys will also be compliant with the California Consumer Privacy Act.