Passkeys are a modern authentication method designed to replace traditional passwords. Passkeys use cryptographic key pairs — public and private keys — to provide a more secure way to log in to websites and applications.
The private key is securely stored on the user’s device, typically within a hardware security module (HSM), trusted platform module (TSM), or a secure enclave, while the corresponding public key is stored on the service’s server.
By eliminating the need for passwords, passkeys help reduce the risk of phishing attacks, credential theft, and exposure of user credentials through password dumps. Passkeys often rely on the FIDO2 authentication standards, which provide a secure, passwordless login experience.
While Passwords Use Shared Secrets, Passkeys are Assymmetric Cryptography - So They’re More Secure
Passwords rely on shared secrets, where the same secret (the password) is known by both the user and the service. This makes passwords vulnerable since both parties store the same secret, making it vulnerable to a leak or theft from either party.
Passkeys, on the other hand, use asymmetric cryptography based on public-key cryptography. This involves a public-private key pair:
- A private key, which stays securely on the user’s device.
- A public key, which is stored by the service.
During login, the service sends a challenge (a random piece of data) to the user’s device. The device signs the challenge with the private key, and the signed response is sent back to the service. The service then verifies the signature using the public key, completing authentication without the user’s private key ever being revealed. This makes passkeys a more secure method since there is no shared secret that can be leaked in a data breach.
Why Passkeys Prevent Phishing
And because the private key never leaves the user’s device, and cannot be entered manually, traditional phishing attacks that trick users into entering credentials are ineffective. Additionally passkeys are often bound to the service’s own website (URL or domain), so they simply can’t be used on fraudulent websites.
By adopting passkey technology, users and organisations will gain enhanced security, and reduce the risk of credential-based cyber attacks - all while providing a smoother login experience.