PKI

Passkeys: The Future of Web Authentication

Anil K··6 min read
#passkeys#webauthn#fido2#authentication#passwordless#public-key-cryptography#biometrics#pki#mfa#identity
Smartphone showing a biometric authentication prompt, representing passkey sign-in

The dynamics of authentication keep evolving, and passkeys are making waves in the authentication space. They use an old cryptographic method — asymmetric encryption — to verify that a user is who they claim to be.

Passkeys aim to replace passwords as a way of authenticating a user to web services. The mechanism is simply a combination of cryptography and biometrics, which makes it more secure and more convenient than passwords.

Let's agree that passwords are a hassle — you need to remember them, type them, and change them frequently. They're also vulnerable to hacking, phishing, and data breaches. That's why many experts are predicting passwords will soon become obsolete, and a new technology called passkeys will take their place.

What are passkeys?

A passkey is a digital credential tied to a user account. Passkeys allow users to authenticate without entering a password — not even a username, or any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.

Passkeys are based on public-key cryptography, a method of encrypting and decrypting data using two keys: a public key and a private key. The public key is shared with the website or app; the private key is stored on the user's device, such as a smartphone or laptop. The private key is protected by a biometric sensor (fingerprint or facial recognition) or a PIN or pattern.

Under the hood, passkeys are a user-friendly wrapping around the FIDO2 / WebAuthn standards that the browsers and platforms have been building towards for years.

How passkeys work in principle

To use passkeys, you first configure the passkey with the service, and then you can use it. There are two stages:

1. User registration

  1. User logs into an application and authenticates with an existing mechanism like username/password.
  2. User opts in to register a passkey as a way of authentication (the application must support passkeys).
  3. Application initiates the request and prompts the device to generate an asymmetric key pair.
  4. The user's device generates a key pair (public + private).
  5. The public key is sent to the application securely; this key is stored and mapped to the user account for future usage.
  6. The private key is stored on the user's device and secured with another authentication factor such as biometrics, PIN, or pattern — and it never leaves the device.
  7. The device also stores: the user ID and application identifier mapped to the private key for authentication.

2. Authentication

  1. User opens the website or mobile application.
  2. The user's device requests a challenge (random bytes) from the application.
  3. The device prompts the user to authenticate (biometrics, PIN, etc.) to unlock the passkey for that application.
  4. Once the user authenticates, the device signs the challenge with the user's private key.
  5. The device sends the signed challenge, application identifier, and user ID back to the application.
  6. The application cross-checks the user ID, application ID, and signed challenge.
  7. The application verifies the signed challenge against the user's public key stored on the application side.
  8. If the signature is valid, the user is authenticated and successfully signed in.

Because the challenge is tied to the origin (the application's identifier), a phishing site at a look-alike domain cannot trick the browser into signing for the real one — which is why passkeys are resistant to phishing in a way that passwords, and even SMS/OTP, fundamentally aren't.

How can I use passkeys?

Passkeys are still relatively new at broad scale, and not all websites and apps support them yet. However, major companies — Google, Apple, and Microsoft — are already shipping passkey support across their ecosystems:

  • Google — sign-in with a passkey to your Google account, synced across devices.
  • Apple — passkeys via iCloud Keychain, unlocked by Face ID or Touch ID.
  • Microsoft — passkeys managed through Windows Hello.

To use passkeys you need a device with a biometric sensor (fingerprint or camera) or at least a PIN or pattern lock, and a browser that supports WebAuthn — Chrome, Safari, Edge, and Firefox all qualify. When you visit a site that supports passkeys, it will offer to create one for your account. The next visit, you sign in with your biometric — no username, no password.

A growing directory of sites that support passkeys is maintained at passkeys.directory.

Why are passkeys better than passwords?

Security

Passkeys are more secure than passwords because they are unique for each user and each website or app. They cannot be reused, guessed, or stolen (unless someone steals the physical device and bypasses its local biometric). They're stored as a private key on the user's device and never shared with the server, which eliminates entire classes of breach — the most common password leak of the last decade (credential-stuffing from a third-party breach) simply doesn't apply.

Convenience

Passkeys are more convenient than passwords because they eliminate the need to remember and type passwords. Users sign in with a simple gesture: fingerprint, face, PIN, or pattern.

Privacy

Passkeys are more privacy-friendly than passwords because they don't reveal personal information about the user. The website or app only receives a public key — a random string of bytes — and learns nothing extra about the user, such as their name, email, or phone number.

Some disadvantages of passkeys

  • Limited compatibility: passkeys are not yet universally supported by websites and applications — adoption is growing but uneven.
  • Device compatibility: passkeys require specific hardware and software, which means not every older device is compatible.
  • Recovery complexity: if a user loses their device and isn't enrolled in a syncing platform (iCloud Keychain, Google Password Manager, Microsoft account), recovery can be harder than resetting a password.
  • Privacy concerns: some people are wary of using biometric data for authentication, even though the biometric itself never leaves the device.
  • User education: passkeys are new, and many users are not yet familiar with how they work — leading to confusion in the first-time flow.

Conclusion

Passkeys are a genuinely promising technology that could change how we authenticate. They are more secure, more convenient, and more privacy-friendly than passwords, and they could make our online lives easier and safer. Passkeys are still in the early stages, but they are expected to become more widespread and popular in the near future. Passkeys could be the key to a passwordless world.

If you want to dig into the underlying cryptography, the WebAuthn Level 3 spec at W3C is the authoritative reference — and for the asymmetric-key foundations that make all of this possible, my post on Certificate Lifecycle Management covers the same math in a different context.

Note: for any question or if you want to know more, do leave a comment below.

Found this useful? Give it a like.

Stay in the loop

New articles on AI, Cybersecurity, and PKI — delivered to your inbox.

← Back to PKI