Hello, Passkeys World!

Learn what passkeys are and how they work through a brief introduction.

Castle representing a fortress protected by passkeys

Passwords are the first line of defense, but they are no longer enough to protect data on the web. We can offer better user experience and security using passkeys. But what are passkeys? And why are they better than passwords?

Passwords Were Never Enough

We have been using passwords for centuries in one way or another. But passwords have always had a major problem since the beginning: they rely on human memory.

Not only do you have to remember your password, but you also have to create strong passwords to prevent others from guessing them. But what is a strong password? By today's standards, a strong password is very long, has letters, numbers, and symbols, and, most importantly, is unique.

The problem with having strong passwords that meet this criteria is that they are difficult, if not impossible, to remember. Asking users to create and remember unique, long passwords for every website where they have an account will only lead to password reuse. Most people reuse passwords. What happens when one of those reused passwords gets compromised or leaked? With less effort, an attacker can create more damage faster: one key opens many doors.

How do passwords usually get compromised? Two common ways are credential stuffing and phishing!

Credential stuffing is a type of cyberattack in which a cybercriminal uses stolen usernames and passwords from one organization (obtained in a breach or purchased on the dark web) to access user accounts at another organization. Credential stuffing attacks are among the most common causes of data breaches because most people reuse the same password across multiple accounts.

Phishing is a social engineering attack, generally delivered by email, intending to steal the target's login credentials and other sensitive data, such as credit card information or ID scans, to steal their identity.

Does phishing actually work? Yes! Learn more on why phishing attacks work.

Enabling Multi-Factor Authentication (MFA) on an account can help us mitigate the damage an attacker can do if they get a hold of that account's password. You can use MFA with One-Time Passwords (OTP) or codes, authenticator apps, a security key, or your biometrics.

How can you reduce credential stuffing and phishing while improving the user experience and security? By getting rid of passwords. Passkeys can help you do this in one shot!

What are Passkeys?

According to the FIDO Alliance, passkeys are the replacement for passwords. Passkeys use public-key cryptography, are phishing and breach-resistant, discoverable by browsers, and can't be reused.

Unlike passwords, these credentials are entirely stored locally on your device, which in the context of passkeys is known as an authenticator, and it can be your computer, phone, security key, etc.

Credentials stored in your authenticator can be automatically retrieved by browsers when you navigate to a specific website. This discoverability feature simplifies authentication and prevents phishing since a fake website can't be associated with your credentials.

Passkeys Benefits

Passkeys bring improvements in security and user experience. Here are the key benefits:

  • Faster registration and login
    • With just a simple user interaction, like touching your device's fingerprint reader, the browser can create a passkey for the user on a supported device, simplifying the registration process.
  • Phishing-resistant
    • Passkeys leverage public and private key cryptography, eliminating the need to worry about credentials and reducing the risk of phishing, breaches, and account takeovers.
  • Breach-resistant
    • The private key is always stored on the authenticator (the user's device), while the relying party (the server) stores the public key. If a server is breached, there's no sensitive information an attacker can use to access user accounts.
  • Easier to use
    • Passkeys roam freely (metaphorically) between devices in the same ecosystem and are discoverable by browsers, making them easy to adopt. For example, passkeys stored in your Google Password Manager are available on devices with access to your Google account.
  • Multi-Device Availability
    • Passkeys can also perform cross-device authentication regardless of ecosystem or platform. This means you can simply use your Android phone as an authenticator for your Apple laptop. This method also ensures security by ensuring the devices are nearby using Bluetooth.

Types of Passkeys

Given that there are different types of authenticators, there are also different types of passkeys. As of today, an authenticator can create either a device-bound passkey or a synced passkey.

Passkeys that are bound to a single authenticator are called device-bound passkeys. For example, a FIDO2 security key such as a Yubikey. These types of passkeys are more secure because the private key never leaves the authenticator, but they are slightly less convenient.

Synced passkeys are available on multiple devices and have a better user experience. The private key is end-to-end encrypted and synced to the cloud. For example, on the Apple ecosystem, the private key is synced on your iCloud keychain, and you can register on one device and log in to any synced Apple device. The same goes for the Google ecosystem using the Chrome browser. Or you can use a password manager like BitWarden to store your passkeys. These kinds of passkeys can be restored on new devices. But they may be less secure than single device-bound passkeys because users also need to protect access to their cloud environment.

Next Steps

You have covered briefly what passkeys are and how they can simplify yet improve the security posture of your applications. As passkeys are based on industry standards, their adoption is growing rapidly daily. You can also become an early adopter of this exciting technology:

See passkeys in action!

Visit the Passkeys Playground demo to understand how passkeys work under the hood for user sign-up and login. Learn how passkeys connect to WebAuthn and how to delete a passkey you have created.

Expand your passkeys knowledge

Explore a curated list of blog posts, videos, and workshops about the ins and outs of passkeys.

Free your users from remembering passwords.

Passkeys Playground is presented to you by Auth0 by Okta, a platform to make your login box awesome.

Auth0 Universal Login box