Passkeys

A passkey is a credential created with the FIDO2 and WebAuthn standards. When a user registers, their device generates a public and private key pair that is bound to the website’s origin. The site stores only the public key. The private key stays inside the device’s authenticator and is never sent to the server, so there is no password or shared secret that can be phished or stolen in a breach.

Signing in is a challenge and response: the site sends a challenge, the authenticator signs it with the private key after a local check such as a fingerprint, face, or device PIN, and the site verifies the signature with the stored public key. Because the credential is scoped to the origin, a passkey cannot be replayed against a lookalike phishing site.

Passkeys come in two forms. Synced passkeys are backed up and shared across a user’s devices through a platform credential manager such as those from Apple, Google, or Microsoft. Device-bound passkeys, including those on hardware security keys, never leave the device that created them.

For Customer Identity and Access Management, passkeys remove the password from the customer sign-in flow. That cuts account-takeover from credential stuffing and phishing, removes the cost of password resets, and tends to raise sign-in completion. A CIAM platform typically offers passkeys as a primary login option alongside fallbacks for users whose devices do not yet support them.

Sources

• W3C Web Authentication Level 2: https://www.w3.org/TR/webauthn-2/
• FIDO Alliance, Passkeys: https://fidoalliance.org/passkeys/