What Is a Passkey? Definition, Types and Implementation.

A passkey is a digital credential that is used as an authentication method for a website or application. Passkeys are based on a cryptographic public-private-key pair which is used in two ceremonies:

• Registration During registration the key pair is generated which is verified via the user’s biometrics (e.g. Face ID or Touch ID). The public key is sent to the server and linked to the website / app. The private key is stored safely on your device and referred to as a passkey.
• Login To login, the server sends a challenge to the user’s device. Biometrics are used to access the private key which is stored inside the user’s device. The challenge is signed with the private key and sent back to server which verifies the authentication request (so neither the private key nor the biometric data ever leaves the device).

Passkeys are a form of “disguised” two-factor authentication (2FA), as the device (first factor) and the user’s biometric verification (second factor) are needed. To be usable in practice, passkeys can be shared between nearby devices (even from different platforms) by scanning a QR code and using Bluetooth between the two devices.

---

• Technical Backbone: Passkeys are rooted in FIDO2 / WebAuthn technology, enabling devices to store private keys and generate signatures for authentication against a website or app.
• Cross-platform Functionality: They can be shared between nearby devices across different platforms using QR codes and Bluetooth, facilitating easy logins even on borrowed devices.
• Big Tech Adoption: Major tech giants like Apple, Google, and Microsoft back passkeys, with implementation on popular platforms like PayPal, eBay, and Kayak.
• High Security: Unlike passwords, passkeys are safeguarded against common threats like phishing and data breaches, owing to the local storage of private keys and the cryptographic challenge-response protocol they employ.

---

• Passkeys significantly boost security by employing a two-factor authentication involving a device and biometric verification. Additionally, the cryptographic protocol ensures that critical data like the private key and biometric details never leave the device.
• Moreover passkeys are bound to the domain (Relying Party ID) they were created for, which prevents phishing

• While WebAuthn lays down the protocol for utilizing private keys for authentication, passkeys are a specific implementation of this protocol, tailored for easy user interaction and broad application, especially among non-technical users.

• Passkeys are adopted by various big tech companies and are applicable on platforms like PayPal, eBay, and Kayak. Their implementation is set to expand as more organizations recognize the security and convenience benefits.

• Yes, passkeys can be utilized on other nearby devices by scanning a QR code, allowing for a seamless login experience even on borrowed devices.

• Passkeys outshine traditional passwords by offering enhanced security through cryptographic protocols and ease of use through biometric authentication, thus mitigating common issues associated with password-based systems.

• Given their robust security framework and ease of use, Passkeys are indeed seen as a the new standard in digital authentication, aligning with the FIDO Alliance's vision of passwordless authentication.

• Requiring hardware like cameras or fingerprint readers, and the complexity of cross-device flows are some challenges. However, passkeys-as-a-service solutions (e.g. Corbado) are addressing these hurdles to ensure a smooth user experience.

• Yes. The private key of a passkey is saved locally on your device and is never used or stored by online services in the registration / login process. Within your device, they can only be accessed with your biometrics or your PIN, so only you can access them.