What are Passkeys and How Do They Work?

For more than half a century, password-based authentication has been the de facto method for users to log in to applications and websites online. Day by day (and data breach by data breach), passwords have caused friction for end users, provided cybercriminals with ammunition to carry out their attacks, and burdened IT teams with help desk tickets. 

The growing adoption of passkeys has the potential to change all of this. This article will cover a basic definition of passkeys, detail how they work, and highlight both benefits and current drawbacks to help app developers make an informed decision of how to implement this passwordless login method in their apps.

What are passkeys?

Passkeys are a new way for users to sign up to apps or websites without using a password. End users interact with passkeys the same way they unlock their smartphones – with a fingerprint, face scan, pattern, or PIN. By replacing a knowledge-based credential with stronger and more user-friendly forms of authentication, passkeys provide increased security while also making the login process much easier.

Over the past few years, passkeys have been adopted by major tech companies such as:

• Apple, which announced passkey support for work environments at WWDC 2023.

• Google, which has announced passkey support for Chrome, Android, personal email accounts as well as Google Workspace.

• Microsoft, which supports this method through Windows Hello and other passwordless services.

• Shopify, which adopted this method to ease friction in the ecommerce shopping experience.

• PayPal, which introduced passkeys for more secure payment processes.

Visit this demo site to experience passkey authentication for yourself.

How does passkey authentication work?

Before covering a passkey authentication flow, it’s helpful to know a few concepts:

• Public key cryptography: This is an encryption technique that uses a public-private key pair to function. The public key is used to encrypt data and is stored on the server, while the private key is used to decrypt data and is stored on the user’s device. Think of cryptographic keys like a mailbox with different keys for the mailman and the homeowner. 

• WebAuthn: The web authentication API, shortened to WebAuthn, is an open standard that enables applications to authenticate users with possession-based and biometric authentication. Passkeys are based on WebAuthn and FIDO2 standards. 

• Biometric authentication: Biometric authentication is the process of validating a person’s identity using immutable factors such as fingerprints, facial scans, iris scans, or voice patterns. 

Passkey authentication can be divided into two processes (also known as ceremonies): registration and authentication.

Registration ceremony

This process occurs the first time a user creates a passkey for a particular account. This is when the public-private key pair is created and stored on the app and device respectively. The flow diagram below covers the registration ceremony:

1. The user starts the registration ceremony by choosing to authenticate with passkeys for the first time on an app.

2. The app gives the client (e.g. browser) the configurations to create a new credential. 

3. The client passes these configurations over to the authenticator. The authenticator can be external (like a FIDO2 security key) or a platform authenticator (like Apple Face ID, Apple Touch ID, or Windows Hello).

4. The authenticator requests the client for user verification and presence. 

5. The user completes verification (commonly done through biometric scans).

6. The authenticator now creates a public-private key pair and sends the public key to the client. The private key is stored by the authenticator.

7. The client sends the public key to the app for storage.

The user has now registered a passkey for the app. When the user next tries to log in on the same app, the authentication ceremony occurs.

Authentication ceremony

The flow diagram below shows how the authentication ceremony works:

1. The user starts the authentication ceremony by selecting passkeys as the login method.

2. The app gives the client (browser) an authentication challenge. 

3. The client passes this authentication challenge to the authenticator.

4. The authenticator requests the client for user verification.

5. The user completes verification using the method they selected during the registration ceremony (biometrics, pattern, PIN).

6. The authenticator signs the challenge using the private key created during the registration ceremony. It sends this signed challenge to the client.

7. The client provides the app with the signed challenge.

8. The app verifies the challenge with the public key.

9. If the challenge is verified, authentication is successful and the user is logged in.

Benefits of passkeys

When implemented thoughtfully, passkeys provide several benefits to end users and app developers alike:

• Enhanced security: Since passkey authentication works using public-private key pairs, there is no shared secret between the client and the server. This means attackers don’t have any credentials to steal. Even creating fake credential harvesting sites won’t work, since the private key on the user’s device will only work with the public key on the real app server. This makes passkeys virtually immune to phishing attacks.

• Better user experience: Millions of users are already familiar with device-based biometrics and PINs, since they use these mechanisms to unlock and interact with their devices every day. Since passkeys use the same process to log in to apps, they easily fit into users’ existing mental models. Not to mention, a swipe of a fingerprint is much faster than creating, remembering, and typing in a “strong” 16-character password.

• Frictionless MFA: Passkeys provide multi-factor authentication by checking the user’s device (possession) and biometrics (inherence) in one user-facing step. By enabling MFA without added friction, passkeys can pave the way to truly universal MFA adoption.  

• Privacy-first: Any mention of biometrics often brings up privacy concerns, but passkeys take care of that from the outset. A users’ biometrics never leave their device, so there is no way attackers can “steal” biometric data. Passkeys are also unique for every app and cannot be used to track users across sites.

Drawbacks of passkeys

Since passkeys are still early in their lifecycle, there are a few things app developers should consider before adoption:

• Compatibility: Although adoption grows by the day, passkeys will still take some time to be supported by all major browsers, sites, and platforms. It’s also not clear right now how users can transfer passkeys across devices from different providers (say when they move from an Android phone to an iPhone). 

• Implementation complexity: As easy as passkeys are for the end user, implementing them is not trivial for app developers. Compared to passwords and even other passwordless methods, passkey authentication has a lot more moving parts, testing, and validation involved. For this method to truly achieve widespread adoption, developers need the tools and resources to easily add this authentication method to their apps.

Drag-and-drop passkey authentication for your app

Want to add passkeys to your app? You can either build it in-house by learning the WebAuthn standard, spinning up FIDO servers, testing and validating the various flows, and handling errors. Or you can use Descope!

Our drag-and-drop authentication platform makes it very easy for developers to add passkeys to their apps with a few lines of code. Even customers of other identity providers such as Amazon Cognito and Auth0 can use Descope as a federated IdP to add biometrics to existing login processes.

Sign up for Descope on our “Free Forever” plan and get started with your passwordless journey today. Have questions? We’d love to have you over at AuthTown, our open user community for developers to learn about authentication.