Overview
A password is something you know, and traditionally, along with a username, it’s what you use to log into a web application. A passkey, on the other hand, is something stored securely on your device. When you unlock your device (e.g., with a PIN, fingerprint, or facial recognition), it grants access to the passkey stored within the device’s secure hardware. This passkey is then used to authenticate your login to a web application. Crucially, the secure part of the login process (the private key) never leaves your device, ensuring that it remains protected even during authentication.
One of the most significant benefits of passkeys is that they are essentially phish-proof. A malicious website cannot trick you into revealing your credentials, nor can an attacker perform a man-in-the-middle attack to intercept your login.
Details
Technical
Passkeys consist of a pair of cryptographic keys that are unique to you and the service provider. The private key is stored securely on your device (usually in a Trusted Platform Module (TPM) or Secure Enclave), and it is unlocked by a biometric method, such as a fingerprint, face recognition, or a PIN. The public key is stored by the service provider and is used to verify your identity when you log in.
Unlike a password, which can be stolen, guessed, or reused across multiple accounts (password statistics are alarming in this regard), a passkey is never “known” to the user. The private key is stored on your device in dedicated hardware, separate from the system memory, and can only be accessed through biometric or PIN authentication. Passkeys cannot be harvested from a compromised machine or stolen via phishing attacks. With passkeys there are no shared secrets.
Cloud Synchronization
While passkeys are securely stored on your device, they can be **exported and transferred** through secure cloud synchronization. This means that if you use multiple devices, your passkeys can be synced across them securely. This feature is particularly useful for device replacement or when using multiple devices regularly.
The National Institute of Standards and Technology (NIST) provides guidelines that support this approach. According to NIST Special Publication 800-63B (Digital Identity Guidelines: Authentication and Lifecycle Management \[Supplement 1]), cryptographic authenticators may support backup, recovery, and synchronization mechanisms, provided they maintain the same level of assurance. This allows passkeys to be securely synchronized across devices using encrypted cloud storage, ensuring both convenience and security.
It’s also important to note that because passkeys can be synchronized across devices, the loss of a single device does not result in the loss of access to your accounts. You can continue to authenticate using your passkeys on other devices.
Addressing Concerns
One potential weakness is device theft. However, this risk is mitigated because the passkey is stored in dedicated hardware that is resistant to brute-force attacks. TPMs or Secure Enclaves limit the number of incorrect access attempts before locking access to the passkey permanently. Therefore, unless the attacker also has your PIN or biometric data, your passkey remains secure. In this scenario, the risk is no worse than losing a password, especially if multi-factor authentication (MFA) is not in use.
Since passkeys can be synchronized across devices, the loss of a single device does not result in the loss of access to your accounts. You can continue to use our passkeys on other devices, and they will be restored on the new device
Switching providers is challenging because passkeys cannot be easily migrated between different ecosystems. This limitation can lead to a form of vendor lock-in, where users are tied to a particular provider’s devices and services unless they are willing to set up new passkeys for each service on the new device. This could impact user experience during device transitions and is an important consideration for long-term flexibility.
Types of passkeys
1. Platform Passkeys: Device bound, exclusive to the device it was created
2. Synced Passkeys: Device and ecosystem bound, but will sync across devices.
3. Linked Passkeys: A Device bound passkey that "shared" via Bluetooth, nfs, or qr code. The secret never leaves you device, it allows a user to use a passkey on a phone when logging into a website on a computer securely
4. Roaming Passkeys: Passkeys stored on external hardware, such as yubikeys. Cross platform but do not usually have biometrics support
Comments
0 comments
Please sign in to leave a comment.