How Passkeys Work
FIDO's user authentication standards leverage public key cryptography techniques to provide user-friendly, phishing-resistant authentication that allows users to sign in with passkeys.
The following video shows passkeys in action.
Enrolling a passkey with the online service
To begin, the user registers a passkey with the online service. The initiation of registration typically happens either at the sign-in settings page (which the user self-discovers) or through a promotion of the setting to the user (for example, a call to action made to the user by the online service during sign-in).
The passkey registration process typically occurs after the user signs in to the online service account with an existing authentication method. The user approves creation of a passkey by unlocking their device when prompted. The passkey is stored in the user’s password manager (also often referred to as credential manager). If the user does not have a password manager installed, the default password manager which ships with the operating system is used. If the user has chosen to use a security key (hardware device), the passkey is stored on the security key rather than in the device’s password manager.
Passkeys can be synced across devices or stored with a credential manager or on a security key.
Sign in to the online service with a passkey
When the user attempts to sign-in to the online service, they see a prompt asking them to choose which account they want to use, and then a prompt to unlock their device (or their security key) using a biometric or local PIN. After the user is verified, they are signed-in to their online account. The browser, operating system, and the password manager (or security key) work together to make this a seamless experience.
Technical overview
At the registration step, the password manager (or security key) creates a cryptographic keypair that is unique to that particular account on that particular online service. The password manager (or security key) retains the private key and the public key is registered with the online service.
When the user attempts to sign in to the online service, the server sends a random challenge to the user’s device. The password manager (or security key) signs this challenge using the appropriate private key, after ensuring the user approves sign-in by unlocking the device. The signature is returned to the server which verifies the signature against the public key it has on record.
When the user installs the password manager on a new device, their private keys are synced to the new device. This allows the user to sign in to their online services from their new device.
If the user is using a security key to store their passkey, the private key does not sync, it stays on that particular security key device. To use a security key with a new device, the user can tap or plug in the security key to the new device.
Passkeys are secure by design
By design, a passkey is only presented to the site it was registered with. There is no way for the user to inadvertently type it on an attacker’s site. In addition, the online service does not have the equivalent of a password hash, which can be stolen from the server and cracked by an attacker to figure out the password. The online service only has the public key and it is not computationally feasible to extract the private key from the public key per the mathematics of cryptography.
Passkeys are private by design
A unique passkey is created for each domain and account. So there is no way for multiple online services to collaborate to track the user. The device unlock (using biometric or PIN) stays local. The online service only sees public keys and signatures from the user's device. For a person to use the private key, the password manager uses an API provided by the operating system to directly leverage the familiar, and private-by-design, device unlock that device operating systems have already been shipping for many years now.
Enroll a passkey with an online service
The following steps outline the process for a user to enroll a passkey with their online service account:
- The user accesses the app or website.
- The user receives a prompt from the online service to create a passkey or initiates passkey creation from their Account Settings.
- Using their device, the user verifies the passkey creation via a local authentication method such as biometrics, local PIN, or by touching their FIDO security key.
- The user’s device creates a new public/private key pair (passkey) unique to the local device, online service, and user’s account.
- A public key is sent to the online service and associated with the user’s account. Any information about the local authentication method (such as biometric measurements or templates) never leaves the local device.
Using a passkey for subsequent sign in
- The user receives a prompt on the client device to sign in with a passkey.
- Users with multiple accounts are asked to choose which account to use.
- The user receives a prompt to complete a local authentication method using biometrics, local PIN, or by touching their FIDO Security Key.
- The client device sends the signed challenge back to the service, which verifies it with the stored public key and signs the user in.