Passkeys: Technical overview
Learn how passkeys use encryption and device-based keys to deliver strong, phishing-resistant authentication.
What are passkeys, and how do WebAuthn and FIDO2 support them?
A passkey is a digital credential that replaces passwords. Your device stores it securely and creates a unique key for each website or app. Instead of typing passwords, you just use your fingerprint, face, or PIN.
Passkeys work differently than traditional login methods. Your browser can find them automatically without needing a username first. This makes sign-in much faster.
WebAuthn is the browser technology that handles passkeys. FIDO2 is the security standard that makes it all work safely. When you use a passkey, it uses your devices hardware to verify your identity.
How passkeys work under the hood
The cryptographic flow from registration to authentication.
Create a key pair
When a user registers, their device creates a key pair: a private key that stays securely stored on the device, and a public key that is sent to the server.
Server storage
The server stores that public key along with user identifiers.
One-time challenge
To confirm it's really you, the server generates a one-time request that only your device can answer.
Signing
Using the private key stored securely on your device, the challenge is signed without ever exposing the key itself.
Verification
The server checks the signature against your stored public key, confirming your identity and completing the login.
This is why passkeys are phishing-resistant.
Even if someone is tricked into going to 'fake-bank.com', the browser checks the domain. The passkey for 'real-bank.com' simply won't work anywhere else.
Registration + Authentication
Passkeys are built on WebAuthn, using the credential creation flow for registration and the assertion flow for authentication. Check out the diagram below for a closer look at how it works.
-
Challenge initiation
Your application calls the authentication server's API to generate a cryptographic challenge
-
Device interaction
The browser invokes the WebAuthn API, prompting the user's authenticator
-
User verification
The device requires biometric authentication or PIN entry
-
Key generation
The device's secure hardware generates a unique public/private key pair
-
Attestation
The device creates an attestation statement proving the credential's origin
-
Storage
The private key remains in secure hardware, the public key is sent to the server
-
Authentication request
User initiates sign-in on your application
-
Challenge generation
The server creates a domain-specific cryptographic challenge
-
Credential discovery
The browser queries available passkeys for the current domain
-
User verification
Device prompts for biometric or PIN authentication
-
Digital signature
The device signs the challenge using the stored private key
-
Verification
The server validates the signature against the stored public key
-
Access granted
Successful verification completes the authentication flow
This cryptographic model ensures domain binding, preventing passkeys from functioning on fraudulent sites even if users are socially engineered to visit them.
Types of passkeys
Passkeys come in different forms depending on how you store and use them. From device-based keys to cloud-backed options, so you can choose what works best for you.
Device-bound passkeys
Device-bound passkeys stay only on the device where they were created. They're more secure since they never leave your hardware, but if you lose that device, you lose access to those accounts. You also can't use them on other devices.
Synced passkeys
Synced passkeys are backed up to cloud services like iCloud Keychain or Google Password Manager and work across all your devices. When you create a passkey on your phone, you can use it on your laptop too. This makes them convenient but means you're trusting the cloud provider to keep them secure.
Where passkeys work
Passkeys are supported across major browsers, devices, and operating systems. From desktops to mobile, you can sign in securely without worrying about compatibility.
- Full support on iOS 16+, macOS Monterey+
- iCloud Keychain provides seamless sync across Apple devices
- Safari offers complete WebAuthn implementation
- Android 9+ with Chrome support
- Google Password Manager enables cross-platform sync
- Android 14+ allows third-party password manager integration
- Windows 10+ with Windows Hello integration
- Limited cross-device sync (improvements coming in Windows 11)
- Edge browser provides native WebAuthn support
- Chrome: Full cross-platform support with Google Password Manager integration
- Safari: Complete implementation on Apple platforms
- Edge: Native support with Windows Hello integration
- Firefox: Basic WebAuthn support with limited passkey features
Cross-platform challenges
Currently, passkeys don't sync between different platform ecosystems. Users switching from iOS to Android must re-enroll passkeys. Google has introduced the first cross-platform sync solution, but broader interoperability remains limited.
| Category | Requirement | Technical details |
|---|---|---|
| Technical details | WebAuthn API compatibility | Chrome 67+, Firefox 60+, Safari 14+, Edge 18+ |
| Mobile platforms | iOS & Android requirements | iOS 16+ for passkey sync, Android 9+ with Play Services |
| Backup authentication | iOS & Android requirements | SMS, email, or recovery codes for device loss scenarios |
Frequently asked questions
How do passkeys work with existing password-based authentication systems?
Passkeys can be implemented alongside existing authentication methods. Users can gradually migrate from passwords to passkeys, or you can offer both options. The WebAuthn standard is designed to integrate with existing user management systems.
What happens if a user loses their device with their passkey?
Passkeys are automatically synced across devices within the same ecosystem (iCloud Keychain, Google Password Manager). For cross-platform scenarios, you'll need backup authentication methods like SMS, email verification, or recovery codes.
Are passkeys stored on our servers?
No, only public keys are stored on your servers. The private keys never leave the user's device and are stored in secure in their device. This eliminates the risk of credential theft from server breaches.
How do we handle users switching between different ecosystems (iOS to Android)?
Cross-platform passkey sync isn't available yet. Users will need to re-register passkeys on new ecosystems or use backup authentication methods during the transition.
What's the performance impact of WebAuthn vs passwords?
WebAuthn ceremonies are typically faster than password validation since they eliminate server-side hashing. The main latency comes from user biometric verification, which is usually under 2 seconds.
Can we customize the passkey user experience?
The biometric prompt is controlled by the operating system, but you can customize the registration/authentication UI, error handling, and fallback flows in your application.
