How do passkeys work?

Passkeys are a built-in capability of all major operating systems and browsers that allow users to log in without a username and password, and even skip any two-factor authentication steps. Learn more about the technical details that make passkeys work below.
What is a passkey?Creating a passkeyAuthenticating with a passkeyWho’s behind passkeys?

What is a passkey?

In technical terms, a passkey is a discoverable WebAuthn credential.
Discoverable
Discoverable means the credential contains information about the user (e.g. a user id) and, therefore, enables an authentication flow that does not require entering a username (or any other information). The user can just click on the “Sign in with a passkey” button and present a passkey to sign in.
WebAuthn
WebAuthn is – for the most part – a JavaScript browser API that enables websites to create and use WebAuthn credentials. The WebAuthn API gives websites access to built-in client authenticator technology of the browsers and / or operating systems (e.g. Windows Hello) as well as physical security keys.
Credential
Credentials in the WebAuthn context are cryptographic private keys (i.e. the actual secrets that make passkeys so secure). For each private key there exists a matching public key that resides on the server and will be used to check signatures created with the private key. Both keys together are called a key pair. Each passkey is unique and bound to a username and a website or app, meaning a user will have at least as many passkeys as they have accounts, likely even more because there can be multiple passkeys per account (e.g. one passkey on an iPhone and one on a Windows PC, both for the same website and user).
Discoverable
Means the credential contains information about the user (e.g. a user id) and, therefore, enables an authentication flow that does not require entering a username (or any other information). The user can just click on the “Sign in with a passkey” button and present a passkey to sign in.
WebAuthn
WebAuthn is - for the most part - a JavaScript browser API that enables websites to create and use WebAuthn credentials. The WebAuthn API gives websites access to built-in client and authenticator technology of the browsers and / or operating systems (e.g. Windows Hello) as well as physical security keys.
Credentials
In the WebAuthn context are cryptographic private keys (i.e. the actual secrets that make passkeys so secure). For each private key there exists a matching public key that resides on the server and will be used to check signatures created with the private key. Both keys together are called a key pair. Each passkey is unique and bound to a username and a website or app, meaning a user will have at least as many passkeys as they have accounts, likely even more because there can be multiple passkeys per account (e.g. one passkey on an iPhone and one on a Windows PC, both for the same website and user).

Passkeys under the hood

Creating a passkey
Authenticating with a passkey

Creating a passkey


Passkey creation can happen either when a new user registers for an account, or when an authenticated user decides to create a passkey for their existing account in the profile settings. Passkey creation is triggered on the client (e.g. ”Create a passkey” button), initiating a three-step sequence:
1. On behalf of the user, the client (a web app running in the browser or a native app) requests a random challenge from the server.
2. The client then calls the WebAuthn API with credentials.create(challenge), handing over the challenge, which results in a key pair – a private and a public key – being created on the device (usually a phone or computer, called “Authenticator” in the WebAuthn context). The private key (i.e. the passkey) is used to sign the challenge and stored on the user’s device inside secure hardware like a TPM or secure enclave. The matching public key, a credential ID, as well as the signed challenge are returned by the function. The user may get prompted for verification with a biometric or a PIN during this step.
3. To finalize passkey registration, the client now sends the public key, the credential ID,  and the signed challenge back to the server. The server associates the public key and the credential ID with the user for future authentication flows and checks the validity of the operation by verifying the signed challenge with the public key.

Authenticating with a passkey


Different to a password that has to be sent over to the authenticating server, a passkey does not leave the user’s device to sign in the user. Instead, the passkey is used locally to create a unique cryptographic signature that proves to the server that it has been created with the passkey. The sequence for passkey authentication is, again, triggered by the user on the client (”Sign in with a passkey” button):
1. The client requests a random challenge from the server.
2. The client calls the WebAuthn API with credentials.get(challenge), which results in prompting the user for verification with a biometric or a PIN and using a stored passkey to sign the challenge. The signed challenge as well as the username and the credential ID of the used passkey are returned by the function.
3. To finalize passkey authentication, the client sends the signed challenge, the username, and the credential ID back to the server. The server now checks if the username and credential ID are known and, if so, picks up the public key to check the validity of the signed challenge. If the signed challenge can be successfully verified by the public key, the server can safely assume that the user was in possession of the passkey and create a session or hand out an authorization token.
<- Creating a passkey
Authenticating with a passkey ->

Who’s behind passkeys?

The FIDO Alliance is a consortium of hundreds of organizations worldwide with the goal to improve online security. It has been founded in 2011 and put out a number of notable specs that found their way into the hand of billions of users. The first success was FIDO U2F, a protocol for a phishing-proof second factor (mostly physical security keys) that has been widely supported and rolled out at almost all major identity providers. As U2F still relies on passwords for the first authentication factor, the FIDO Alliance decided to go one step further and develop a system that is capable of combining the proof-of-possession factor of U2F with the device’s unlock mechanisms and biometrics. This is how WebAuthn was born.

Try it yourself with the passkey demo

Go to demo ->
About Passkeys
Who supports passkeys?Compatible devicesTechnical detailsResources
Legal
Data PrivacyLegal notice
Copyright © 2024 Hanko.io