100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Passkeys

BeginnerTechnique4.3K learners

Passkeys are a passwordless authentication method based on public-key cryptography that lets users sign in to websites and apps using a device-bound credential unlocked by biometrics (fingerprint, face) or a PIN, instead of typing a…

Definition

Passkeys are a passwordless authentication method based on public-key cryptography that lets users sign in to websites and apps using a device-bound credential unlocked by biometrics (fingerprint, face) or a PIN, instead of typing a traditional password.

Overview

Passkeys are built on the WebAuthn and FIDO2 standards developed by the FIDO Alliance and W3C, and were popularized through a joint push by Apple, Google, and Microsoft starting around 2022 to make phishing-resistant authentication mainstream for ordinary consumers, not just enterprise security deployments. When a user creates a passkey for a site, their device generates a unique public/private key pair: the private key never leaves the user's device (or its secure hardware enclave), while the public key is registered with the website's server. Logging in involves the server sending a cryptographic challenge that the device signs with the private key, unlocked locally via Face ID, Touch ID, Windows Hello, or a PIN — no secret ever travels over the network or is stored on the server. This design eliminates entire classes of attacks that plague passwords: there's nothing to phish (the private key can't be typed into a fake site, and passkeys are cryptographically bound to the legitimate origin), nothing to leak in a server-side data breach (only public keys are stored server-side), and nothing to reuse across sites (each passkey is unique per service). Passkeys can sync across a user's devices via platform cloud services (iCloud Keychain, Google Password Manager, Windows Hello) using end-to-end encryption, so losing a single device doesn't lock a user out, and cross-device sign-in is supported by scanning a QR code with a phone that holds the passkey. Adoption has accelerated rapidly since 2022, with major platforms — Google, Apple, Microsoft, GitHub, PayPal, Amazon, and many banks — offering passkey sign-in, often alongside (rather than fully replacing) passwords during the transition period. Passkeys are generally considered the most significant advancement in mainstream consumer authentication since the widespread adoption of two-factor authentication, directly addressing password reuse and phishing, the two leading causes of account compromise.

Key Concepts

  • Based on public-key cryptography via the WebAuthn/FIDO2 standards
  • Private key never leaves the user's device or secure hardware enclave
  • Unlocked locally via biometrics (Face ID, Touch ID, Windows Hello) or device PIN
  • Cryptographically bound to a specific website origin, making them phishing-resistant
  • Server only stores a public key, so data breaches can't expose usable credentials
  • Sync across devices via encrypted platform cloud services (iCloud Keychain, Google Password Manager)
  • Cross-device sign-in supported via QR code scanning with a phone holding the passkey
  • Backed jointly by Apple, Google, and Microsoft as part of the FIDO Alliance's push

Use Cases

Passwordless sign-in for consumer apps and websites
Phishing-resistant authentication for high-value accounts (banking, email)
Reducing account takeover from credential stuffing and reused passwords
Enterprise passwordless authentication alongside single sign-on
Simplifying login UX on mobile devices via biometric unlock
Meeting regulatory pushes toward multi-factor and phishing-resistant authentication

Frequently Asked Questions