How are Passkeys Generated?

Passkeys are generated using asymmetric cryptography, where a pair of cryptographic keys - a public key and a private key- is created. The private key remains securely stored on the user's device, while the public key is shared with the server. When a user registers or logs in, their device creates this key pair, which is then used to authenticate their identity securely without ever exposing the private key.

---

Passkeys rely on asymmetric cryptography, a method that uses two distinct but mathematically linked keys - a public key and a private key. Here’s a closer look at the process:

• Key Pair Generation: When a user initiates the creation of a passkey, their device generates a pair of cryptographic keys. The private key is stored securely on the user's device (e.g., within a secure enclave on a smartphone), and the public key is sent to the server where it is stored.

• Registration Process: During the initial registration with a service, the user’s device creates the key pair. The private key is never shared and remains protected on the device. The public key, however, is transmitted to the server and stored along with the user's account.

• Authentication Process: When the user attempts to log in, the server sends a challenge to the user's device. The device uses the private key to sign this challenge. The server then verifies this signature using the corresponding public key, thereby authenticating the user without ever exposing their private key.

Public Key Infrastructure (PKI) is fundamental to the security of passkeys. PKI manages the public keys and the digital certificates that authenticate them. PKI ensures that communication between the user's device and the server is secure, preventing man-in-the-middle attacks during the authentication process.

---