Password-based authentication has been the default mode for many years. But who wants to remember the passwords for every website they register on? Most people use the same password in many places, something easy to remember. Password managers make it easier to autofill credentials, but they cannot overcome the security concerns present in the password-based authentication system by design. Enter Passkeys—passwordless authentication that is safer and easier to use. Like everything under the sun, passkeys have their pros and cons which we’ll discuss in this article. We’ll also explore how this authentication method works, how secure it is, and more. How do Passkeys Work? Passkeys utilize public key cryptography to generate an authentication flow instead of relying on a single string-based password. The user’s device generates a Public/Private key pair and sends the public key to the server which stores it and later uses the key to authenticate the user, while the private key is stored on the user’s device. Registration flow User’s device generates a Public/Private key pair bound to the web service. Public key is sent to the Web service and the Private key is stored on the user's device. Web service stores the Public key against the user in their database. Authentication flow Web service sends a challenge nonce to the Client. Users authenticate themselves locally using any method such as Biometrics, PIN, etc to access the private key. User device signs the challenge using the private key for that particular Web service. Web service receives the signed challenge and verifies it using the Public key. This ensures that the client device indeed has access to the private key. After successful verification, the Web service authenticates the user. Points to note Public/Private key pair is unique to every service/website. Public key is transmitted to the web service over the network only once during the registration. Private key stays on the user's device all the time and is never transmitted over the network. (Exception is when you sync the passkeys using a password manager) Signed payload generated by the user device is transmitted over the network, is session-specific, and changes every time the user authenticates. Passkey Security: Are They Really Better Than Passwords? Increased security usually means decreased ease of use but this is not true in the case of passkeys. They are easier to use once the registration phase is complete. There is no burden to remember the passwords, the authentication is quick, easy, and secure. Passkeys minimize the attack surface and eliminate several common password-related threats. Traditional passwords are typically stored in an encrypted format within a database. When you log in to a web service, your plaintext password is encrypted and compared to the stored version for authentication. However, this process exposes two major vulnerabilities: Database breaches Phishing attacks Database breaches are common, sadly. When a service’s data is stolen, it is often sold on the dark web. Malicious actors who have access to the data can try to break encryption offline, and with the computing power available today it could take from weeks to months depending on the encryption. Passkeys eliminate this threat as there are no passwords to store. In case of a leak, only the Public key is exposed which is of not much use to the malicious actors. In Phishing attacks, a clone of the target website is created and the user is tricked into entering their credentials mistaking it for a genuine site. This however also fails to work with Passkeys as there are no credentials to steal. Sophisticated Phishing attacks combined with Man in the Middle may still be operable but the attack surface is largely reduced. Types of Passkeys Single device or Device Bound Private key never leaves the device. Authentication can be done only on a specific device on which the private keys exist. Since the key exists only on a single device, the recovery path needs to be triggered in case access to the device is lost. Multi-Device or SyncedPrivate key is synced across user devices. Common options include using Google password manager, iCloud keychain etc. Keys are end-to-end encrypted which means the provider can not see or use your keys even though they store them. This enhances usability as users need to register only one device and can reuse the same keys across their devices. Are Passkeys Portable? As we already learned in the last section, Passkeys can be synced across devices so we know they are portable. You can use the passkeys on all of your devices as long as you are signed in with the provider (Google, iCloud). This begs the question of how to use passkeys on a device that does not belong to you—perhaps a Friend’s computer or one in the Library. Essentially any device that you just want to use a single time. Passkeys address this scenario as well. If both systems support passkeys, they can communicate via Bluetooth to share access. Here's a step-by-step breakdown of how it works: You open a website xyz.com on a Desktop where you don’t have a passkey. You can use the option to sign in with passkeys on a different device. Desktop will show you options for nearby available devices, or a QR code. You can select the device or scan the QR. After that, you can use your mobile device to authenticate yourself and allow the desktop to use the passkey from your mobile. Once authenticated, you also get an option to create a passkey on the desktop without going through the registration process. If opted, you will not need the mobile device next time onwards and a new set of passkeys will be created for the desktop. If you opt to use one time only, no new passkeys will be created. Passkey Adoption Passkeys are based on FIDO2 standards which combine the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn) and is a joint project between the FIDO alliance and W3C. These standardization efforts aim to increase adoption and proper implementation. Native support for passkeys is added by companies like Google, Apple Microsoft at the OS and Browser level which goes a long way in encouraging the adoption of Passkeys. Due to the long reliance on Passwords in the industry, it is not just a technical challenge to adopt passkeys but a psychological one as well. End users may initially feel uneasy about passkeys simply because they are accustomed to the familiarity of password-based systems. Even though passkeys are safer and easier to use than passwords, comfort with the known options wins over in most cases. User education is needed for passkeys to be adopted at a large scale, questions around recovery and ease of use will be there initially. On the other hand, companies may be reluctant to offer passkey authentication if they don’t see sufficient user adoption. In the public sector, governments can encourage adoption through policy changes. Conclusion Passkeys have the potential to revolutionize authentication. They are more secure, easier to use, and eliminate many threats associated with passwords. However, they come with their own challenges, such as account recovery and credential portability. A hybrid approach—combining passkeys with passwords—might be the next logical step. As real-world adoption grows, further debates and insights will help determine the best path forward toward a truly passwordless future. ** Password-based authentication has been the default mode for many years. But who wants to remember the passwords for every website they register on? Most people use the same password in many places, something easy to remember. Password managers make it easier to autofill credentials, but they cannot overcome the security concerns present in the password-based authentication system by design. Enter Passkeys—passwordless authentication that is safer and easier to use. Like everything under the sun, passkeys have their pros and cons which we’ll discuss in this article. We’ll also explore how this authentication method works, how secure it is, and more. How do Passkeys Work? Passkeys utilize public key cryptography to generate an authentication flow instead of relying on a single string-based password. The user’s device generates a Public/Private key pair and sends the public key to the server which stores it and later uses the key to authenticate the user, while the private key is stored on the user’s device. cryptography Registration flow Registration flow User’s device generates a Public/Private key pair bound to the web service. Public key is sent to the Web service and the Private key is stored on the user's device. Web service stores the Public key against the user in their database. User’s device generates a Public/Private key pair bound to the web service. Public key is sent to the Web service and the Private key is stored on the user's device. Web service stores the Public key against the user in their database. Authentication flow Authentication flow Web service sends a challenge nonce to the Client. Users authenticate themselves locally using any method such as Biometrics, PIN, etc to access the private key. User device signs the challenge using the private key for that particular Web service. Web service receives the signed challenge and verifies it using the Public key. This ensures that the client device indeed has access to the private key. After successful verification, the Web service authenticates the user. Web service sends a challenge nonce to the Client. Users authenticate themselves locally using any method such as Biometrics, PIN, etc to access the private key. User device signs the challenge using the private key for that particular Web service. Web service receives the signed challenge and verifies it using the Public key. This ensures that the client device indeed has access to the private key. After successful verification, the Web service authenticates the user. Points to note Points to note Public/Private key pair is unique to every service/website. Public key is transmitted to the web service over the network only once during the registration. Private key stays on the user's device all the time and is never transmitted over the network. (Exception is when you sync the passkeys using a password manager) Signed payload generated by the user device is transmitted over the network, is session-specific, and changes every time the user authenticates. Public/Private key pair is unique to every service/website. Public key is transmitted to the web service over the network only once during the registration. Private key stays on the user's device all the time and is never transmitted over the network. (Exception is when you sync the passkeys using a password manager) Signed payload generated by the user device is transmitted over the network, is session-specific, and changes every time the user authenticates. Passkey Security: Are They Really Better Than Passwords? Really Increased security usually means decreased ease of use but this is not true in the case of passkeys. They are easier to use once the registration phase is complete. There is no burden to remember the passwords, the authentication is quick, easy, and secure. Passkeys minimize the attack surface and eliminate several common password-related threats. Traditional passwords are typically stored in an encrypted format within a database. When you log in to a web service, your plaintext password is encrypted and compared to the stored version for authentication. However, this process exposes two major vulnerabilities: Database breaches Phishing attacks Database breaches Phishing attacks Database breaches are common, sadly. When a service’s data is stolen, it is often sold on the dark web. Malicious actors who have access to the data can try to break encryption offline, and with the computing power available today it could take from weeks to months depending on the encryption. Passkeys eliminate this threat as there are no passwords to store. In case of a leak, only the Public key is exposed which is of not much use to the malicious actors. Database breaches In Phishing attacks , a clone of the target website is created and the user is tricked into entering their credentials mistaking it for a genuine site. This however also fails to work with Passkeys as there are no credentials to steal. Sophisticated Phishing attacks combined with Man in the Middle may still be operable but the attack surface is largely reduced. Phishing attacks Phishing Types of Passkeys Single device or Device Bound Single device or Device Bound Private key never leaves the device. Authentication can be done only on a specific device on which the private keys exist. Since the key exists only on a single device, the recovery path needs to be triggered in case access to the device is lost. Private key never leaves the device. Authentication can be done only on a specific device on which the private keys exist. Since the key exists only on a single device, the recovery path needs to be triggered in case access to the device is lost. Multi-Device or Synced Private key is synced across user devices. Multi-Device or Synced Common options include using Google password manager, iCloud keychain etc. Keys are end-to-end encrypted which means the provider can not see or use your keys even though they store them. This enhances usability as users need to register only one device and can reuse the same keys across their devices. Common options include using Google password manager, iCloud keychain etc. Keys are end-to-end encrypted which means the provider can not see or use your keys even though they store them. This enhances usability as users need to register only one device and can reuse the same keys across their devices. Are Passkeys Portable? As we already learned in the last section, Passkeys can be synced across devices so we know they are portable. You can use the passkeys on all of your devices as long as you are signed in with the provider (Google, iCloud). This begs the question of how to use passkeys on a device that does not belong to you—perhaps a Friend’s computer or one in the Library. Essentially any device that you just want to use a single time. Passkeys address this scenario as well. If both systems support passkeys, they can communicate via Bluetooth to share access. Here's a step-by-step breakdown of how it works: Here's a step-by-step breakdown of how it works: You open a website xyz.com on a Desktop where you don’t have a passkey. You can use the option to sign in with passkeys on a different device. Desktop will show you options for nearby available devices, or a QR code. You can select the device or scan the QR. After that, you can use your mobile device to authenticate yourself and allow the desktop to use the passkey from your mobile. Once authenticated, you also get an option to create a passkey on the desktop without going through the registration process. If opted, you will not need the mobile device next time onwards and a new set of passkeys will be created for the desktop. If you opt to use one time only, no new passkeys will be created. You open a website xyz.com on a Desktop where you don’t have a passkey. You can use the option to sign in with passkeys on a different device. Desktop will show you options for nearby available devices, or a QR code. You can select the device or scan the QR. After that, you can use your mobile device to authenticate yourself and allow the desktop to use the passkey from your mobile. Once authenticated, you also get an option to create a passkey on the desktop without going through the registration process. If opted, you will not need the mobile device next time onwards and a new set of passkeys will be created for the desktop. If you opt to use one time only, no new passkeys will be created. Passkey Adoption Passkeys are based on FIDO2 standards which combine the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn) and is a joint project between the FIDO alliance and W3C. These standardization efforts aim to increase adoption and proper implementation. Native support for passkeys is added by companies like Google, Apple Microsoft at the OS and Browser level which goes a long way in encouraging the adoption of Passkeys. Due to the long reliance on Passwords in the industry, it is not just a technical challenge to adopt passkeys but a psychological one as well. End users may initially feel uneasy about passkeys simply because they are accustomed to the familiarity of password-based systems. Even though passkeys are safer and easier to use than passwords, comfort with the known options wins over in most cases. User education is needed for passkeys to be adopted at a large scale, questions around recovery and ease of use will be there initially. On the other hand, companies may be reluctant to offer passkey authentication if they don’t see sufficient user adoption. In the public sector, governments can encourage adoption through policy changes. Conclusion Passkeys have the potential to revolutionize authentication. They are more secure, easier to use, and eliminate many threats associated with passwords. However, they come with their own challenges, such as account recovery and credential portability. A hybrid approach—combining passkeys with passwords—might be the next logical step. As real-world adoption grows, further debates and insights will help determine the best path forward toward a truly passwordless future. **
