What are passkeys and why should I care?

Some articles may contain *affiliate links. Please see our affiliate disclosure for more details.
Abstract computer art showing a large white lock in the middle representing authentication schemes.

Weak or stolen passwords are the most common cause of data breaches [1], accounting for 80% of all breaches in 2022.This means that most data breaches could have been prevented if more users had simply used stronger passwords or used a cryptographically sound mechanism to do passwordless logins.

What on earth are passkeys?

Passkey logins are a form of passwordless authentication employing a generated device-local cryptographic keypair to verify users using registered devices.

A cryptographic keypair is just a fancy term to mean two digital keys (just a block of data that is randomly generated) that are related to each other in a specific way and generated on your device. One key is "public" which can be shared with anyone (including your websites and apps). The other key is the private key specific to that public key which - you guessed it - should never leave the device or be shared with any other intermediary because it must remain private.

To create a new passkey for your account, the website or app saves your public key from the keypair, while your private key remains on your device.

To sign in, your device shares your public key with the website or app. The website or app then encrypts a challenge using the public key you provided it in the first step. A /challenge/ is just a fancy way to say "randomly generated data".

Your device then needs to demonstrate to the website or app that it can decrypt the challenge with the private key it has. The private key must be the specific private key related to the original public key registered with the site or decryption will fail (that is the magic property of the cryptographic keypair that makes them work in this context). If decryption is successful, the website or app can confirm that you are who you say you are.

Passkeys offer stronger security than passwords, since passkeys aren't stored with the website or app, remaining safe even if the website or app is hacked. This changes the economics of credential-based hacking since uncovering a treasure trove of old website badly hashed passwords database tables will become an event relegated to the history books. In practice, it means that mass scale compromise could be a thing of the past once passkeys are supported for all network applications.

Visually the login sequence looks like this from a high-level:

sequenceDiagram participant User participant Website User->>Website: Visit website and supply public key Website->>Website: Generate random challenge string Website->>Website: Encrypt challenge with given public key Website->>User: Send encrypted challenge User->>User: Decrypt challenge with private key User->>Website: Send response Website->>Website: Compare response with original challenge alt Response matches challenge Website->>Website: Log user in to account attached to public key Website-->>User: Send login confirmation else Response doesn't match challenge Website-->>User: Send login failed message end

So why should I care about passkeys?

In addition to the drastically lower return on investment of compromising credentials on a per unit basis, passkeys can be simpler to use in specific workflows because they don't need to be remembered; the user can just select the passkey from their saved list on their device.

Specifically the passkey login system offers a number of benefits over passwords, namely:

  • Improved security: Storing the key pair on the user's device and not allowing hackers to gain access to millions of credentials with the compromise of just one website or app radically changes the economics and return on investment of attacks.

    A common retort to this is that modern hashing and salting with peppering techniques avoid this problem. However, auditing every website or app we use to ensure these standards are enforced each of their codebases becomes an intractable problem unless we stifle innovation and add regulatory compliance for every website or app. This quickly snowballs into a intractable problem given each government or authority can impose different regulatory requirements creating bifurcated access to online tools. There is also no guarantee that regulators will impose meaningful requirements from a user security perspective.

    In contrast, passkeys are an open standard that every website or application can support on their own time and security researchers continually review the specifications, and implementations in a more scalable way. It now becomes trivial to check the website or app conforms to this standard by using a standards based passkey client!

  • Ease of use: Passkeys are easier to use because users do not have to remember them. They can simply select the passkey from their saved list on their device, which saves time and minimizes the risk of human error.

  • Growing support: Major players like Google, Apple, and Microsoft have already adopted passkey logins, which means more websites and apps are likely to follow suit. This could make passkeys the new standard for user authentication.

How passkeys work on different platforms

Passkeys are supported across major platforms including iOS, Android, Windows, and MacOS yet there are some differences in implementation such as:

  • On iOS and MacOS, passkeys use the iCloud Keychain to sync across devices. Users can register passkeys on one device and seamlessly use them on another Apple device logged into the same iCloud account.
  • Android and Windows use Google Smart Lock and Microsoft Authenticator to enable passkey syncing across devices. Backup and restore may require additional steps compared to Apple devices.
  • Browser support varies - Chrome, Firefox, and Safari allow passkey creation and sign-in, but only Chrome currently supports syncing passkeys across desktop browsers.

Passkeys are integrated into platform native apps like Settings and Passwords on Apple devices, while Android and Windows surface them in Authenticator apps.

Overall the main user workflow is consistent, but underlying sync and storage details differ. Users with devices across multiple platforms may experience more friction setting up passkeys everywhere initially.

Setting up and managing passkeys

To start using passkeys, users will need to register a passkey with each website or app:

On first sign-up, the site/app will prompt the user to register a passkey instead of creating a password. The user's device generates a fresh cryptographic keypair and shares the public key with the site/app, which associates this key with the user's account. The private key remains securely stored on the user's device - it is not shared externally during registration. Once registered, using a passkey to sign-in involves:

Selecting the appropriate passkey from the list on your device when prompted to sign-in. Using biometric authentication like Face ID or fingerprint where available to confirm it's really you. Your device then uses the private key to complete the login challenge from the site/app. Managing multiple passkeys well is important. Users should give each passkey a recognizable name during registration. Most platforms allow viewing, editing, and deleting registered passkeys. Backing up passkeys through built-in cloud sync or an external password manager is recommended.

Multi-device passkey support

While passkeys are initially tied to the device they are created on, platforms like Apple, Google, and Microsoft provide synchronization mechanisms that allow using passkeys across multiple devices:

Apple : Passkeys are synced via iCloud Keychain across Apple devices logged into the same iCloud account.

Google : Passkeys created in Android and Chrome can be synced through Google Smart Lock to other devices logged into the same Google Account.

Microsoft : Passkeys stored in Windows and Microsoft Authenticator can be synced across devices through a Microsoft account.

Backing up passkeys is important for multi-device access. If your primary device is lost or damaged, you can restore passkeys from iCloud Keychain or Google/Microsoft sync services and regain access to your passkey-protected accounts.

Some caveats include desktop browser passkey syncing is limited, and using passkeys across platforms (e.g. iOS and Android) may require re-registering passkeys on each device. But multi-device convenience is still significantly better compared to traditional passwords.

So what's the bad news about passkeys?

Like everything there's also the flip side of each advantage to passkeys:

  • Limited adoption: While passkey logins are gaining traction, not all websites and apps support them yet. Users may still need to use traditional passwords for some sites. Although major account providers like Google, Apple, and Microsoft are already offering some support for passkeys.

  • Device compatibility: Passkey logins are supported by a variety of devices, but they may not be compatible with all devices. For example, some older versions of Android do not currently support passkey logins.

  • Behavior change: Using passkey logins requires users to change their habits. They must remember to select the correct passkey for each site or app they use, and they may need to create and manage multiple passkeys.

Recapping passkeys

Overall, passkey logins have the potential to be a more secure and convenient alternative to traditional passwords once we get used to them and change our mental model away from passwords. However, users may still need to rely on passwords in some cases which can create a disjointed user experience, especially in the interim as account providers migrate to supporting passkeys.