Passkey Basics
What is a Passkey?
Passkey is a modern authentication method that replaces traditional passwords with cryptographic keys. It enhances security by using public key cryptography, making it resistant to phishing and credential theft. Passkeys are designed to be user-friendly, allowing users to authenticate with a simple gesture, such as a fingerprint or facial recognition, without the need to remember complex passwords.
Passkeys are based on the WebAuthn standard, which is supported by major browsers and platforms. They can be used for both web and native applications, providing a seamless and secure authentication experience across devices.
Passkeys are stored securely on the user's device, and they can be used across different platforms and devices, making them a versatile solution for modern authentication needs. They are designed to work with both web and native applications, allowing users to authenticate seamlessly across different environments.
Benefits of Using Passkeys
- Enhanced Security: Passkeys use public key cryptography, which is more secure than traditional passwords. They are resistant to phishing attacks and credential theft.
- User-Friendly: Passkeys eliminate the need for users to remember complex passwords. Authentication can be done with a simple gesture, such as a fingerprint or facial recognition.
- Cross-Platform Compatibility: Passkeys can be used across different platforms and devices, providing a consistent authentication experience for users.
- Seamless Integration: Passkeys can be easily integrated into existing applications and workflows, allowing developers to enhance security without disrupting user experience.
- Future-Proof: As the industry moves towards passwordless authentication, passkeys are a forward-looking solution that aligns with modern security standards and practices.
How Passkeys Work
Passkeys work by leveraging public key cryptography to authenticate users. When a user registers for a service using a passkey, a key pair is generated: a public key and a private key. The public key is stored on the server, while the private key remains securely on the user's device.
During authentication, the server sends a challenge to the user's device. The device uses the private key to sign this challenge and sends the signed response back to the server. The server then verifies the signature using the stored public key. If the verification is successful, the user is authenticated.
This process ensures that:
- The private key never leaves the user's device
- Each authentication request is unique (due to the challenge)
- Only the device with the correct private key can generate valid signatures
- The server can verify authenticity without storing sensitive credentials
Registration Flow
- User Initiates Registration: User requests to register a new passkey
- Challenge Generation: Server generates a unique challenge and sends it to the client
- Key Pair Creation: User's device creates a new public-private key pair
- User Verification: Device prompts for user verification (fingerprint, face, PIN, etc.)
- Attestation: Device signs the challenge and public key information
- Server Storage: Server verifies the attestation and stores the public key
Authentication Flow
- User Initiates Login: User attempts to authenticate
- Challenge Request: Server generates and sends a challenge to the device
- Signature Creation: Device uses the private key to sign the challenge
- User Verification: Device verifies the user's identity locally
- Response Validation: Server verifies the signature using the stored public key
- Access Granted: If verification succeeds, user is authenticated
Common Passkey Terminology
Core Concepts
| Term | Definition |
|---|---|
| Passkey | A cryptographic credential that replaces passwords, consisting of a public-private key pair |
| WebAuthn | Web Authentication API standard that enables passwordless authentication on the web |
| FIDO2 | A set of standards that includes WebAuthn and CTAP (Client to Authenticator Protocol) |
| CTAP | Client to Authenticator Protocol - enables communication between devices and authenticators |
Authentication Components
| Term | Definition |
|---|---|
| Relying Party (RP) | The application or service that relies on the authenticator to verify user identity |
| Authenticator | The device or software that generates and manages passkeys (e.g., smartphone, security key) |
| User Agent | The browser or application that facilitates communication between RP and authenticator |
| Platform Authenticator | Built-in authenticator (TouchID, FaceID, Windows Hello) |
| Roaming Authenticator | External security key that can be used across multiple devices |
Technical Terms
| Term | Definition |
|---|---|
| Credential ID | Unique identifier for a specific passkey credential |
| Public Key | Cryptographic key stored on the server to verify signatures |
| Private Key | Secret key stored securely on the user's device, never shared |
| Challenge | Random data sent by the server to prevent replay attacks |
| Attestation | Cryptographic proof that a credential was created by a genuine authenticator |
| Assertion | Cryptographic proof that the user possesses the private key during authentication |
| RP ID (Relying Party Identifier) | Domain identifier that determines the scope of passkey validity |
| Origin | Complete URL including protocol, domain, and port where the authentication request originates |
User Experience Terms
| Term | Definition |
|---|---|
| User Verification | Process of confirming the user's identity (biometric, PIN, etc.) |
| User Presence | Confirmation that a user is physically present during authentication |
| Resident Key | Passkey stored on the authenticator device itself |
| Discoverable Credential | Credential that can be found without providing a username |
Understanding RP ID vs Origin
One of the most important concepts to understand when implementing passkeys is the difference between RP ID (Relying Party Identifier) and Origin. These two values work together to ensure secure passkey operations but serve different purposes.
RP ID (Relying Party Identifier)
The RP ID is a domain identifier that determines the scope of passkey validity. It defines which domains can use a particular passkey credential.
Key Characteristics:
- Must be a valid domain name (e.g.,
example.com) - Cannot include protocol, port, or path
- Determines passkey scope and sharing across subdomains
- Used during both registration and authentication
Examples:
Valid RP IDs:
- example.com
- auth.example.com
- login.mycompany.org
Invalid RP IDs:
- https://example.com (includes protocol)
- example.com:8080 (includes port)
- example.com/login (includes path)
Origin
The Origin is the complete URL identifier that specifies exactly where the authentication request is coming from.
Key Characteristics:
- Includes protocol (https://)
- Includes domain name
- Includes port (if non-standard)
- Must match exactly during authentication
- Provides precise security context
Examples:
Valid Origins:
- https://example.com
- https://auth.example.com
- https://example.com:8443
- https://login.mycompany.org
Relationship and Rules
The relationship between RP ID and Origin follows specific rules:
- Origin must be HTTPS (except for localhost during development)
- RP ID must be a suffix of the Origin's hostname
- RP ID cannot be a public suffix (e.g.,
.com,.co.uk)
Valid Combinations:
| Origin | RP ID | Valid? | Reason |
|---|---|---|---|
https://example.com | example.com | ✅ | Perfect match |
https://auth.example.com | example.com | ✅ | RP ID is suffix of origin hostname |
https://auth.example.com | auth.example.com | ✅ | Perfect match |
https://example.com:8080 | example.com | ✅ | Port doesn't affect RP ID |
Invalid Combinations:
| Origin | RP ID | Valid? | Reason |
|---|---|---|---|
https://example.com | different.com | ❌ | RP ID not related to origin |
https://auth.example.com | badexample.com | ❌ | RP ID not a suffix |
https://example.com | com | ❌ | RP ID is a public suffix |
http://example.com | example.com | ❌ | Non-HTTPS origin (except localhost) |
Practical Implications
For Single Domain Applications
// Simple case: single domain
Origin: "https://myapp.com"
RP ID: "myapp.com"
// Passkeys work only on myapp.com
For Multi-Subdomain Applications
// Shared across subdomains
Origin: "https://auth.myapp.com"
RP ID: "myapp.com"
// Passkeys can be used on any *.myapp.com subdomain
For Development
// Development environment
Origin: "http://localhost:3000"
RP ID: "localhost"
// HTTP allowed only for localhost
Security Considerations
Origin Validation:
- Browsers automatically validate that the origin matches the requesting page
- Prevents malicious sites from using passkeys intended for other domains
- Each authentication request is bound to the specific origin
RP ID Scope:
- Determines which domains can share passkey credentials
- Broader RP ID (e.g.,
example.com) allows subdomain sharing - Narrower RP ID (e.g.,
auth.example.com) restricts to specific subdomain
Best Practices:
- Use the most specific RP ID that meets your needs
- For multi-subdomain apps, use the parent domain as RP ID
- For single-domain apps, use the exact domain as RP ID
- Always use HTTPS in production environments
- Test RP ID/Origin combinations thoroughly during development
Types of Authenticators
Platform Authenticators
Platform authenticators are built into devices and provide convenient, secure authentication:
- Mobile Devices: TouchID, FaceID (iOS), Fingerprint sensors (Android)
- Computers: Windows Hello, TouchID (Mac), Built-in fingerprint readers
- Benefits: Always available, integrated user experience, high security
Roaming Authenticators
External security keys that can be used across multiple devices:
- USB Security Keys: YubiKey, Google Titan Key
- NFC Keys: Contactless security keys for mobile devices
- Bluetooth Keys: Wireless security keys
- Benefits: Portable, high security, works across devices
Security Features
Phishing Resistance
- Origin Binding: Passkeys are bound to specific domains, preventing use on malicious sites
- No Shared Secrets: Private keys never leave the device, eliminating credential theft risk
- Challenge-Response: Each authentication uses unique challenges, preventing replay attacks
Privacy Protection
- No Tracking: Each passkey is unique per service, preventing cross-site tracking
- Local Storage: Biometric data and private keys remain on the user's device
- Minimal Data: Only necessary public key information is shared with services
Cryptographic Strength
- Modern Algorithms: Uses industry-standard cryptographic algorithms (ECDSA, RSA)
- Key Length: Typically 256-bit keys providing strong security
- Hardware Protection: Keys often stored in secure hardware elements
Browser and Platform Support
Desktop Browsers
- Chrome: Full WebAuthn support across platforms
- Firefox: Complete implementation with ongoing improvements
- Safari: WebAuthn support with TouchID integration on macOS
- Edge: Native Windows Hello integration
Mobile Platforms
- iOS: Native support with TouchID/FaceID integration
- Android: Google Play Services enables passkey functionality
- Cross-Device: Passkeys can sync across devices within the same ecosystem
Operating Systems
- Windows: Windows Hello provides platform authenticator capabilities
- macOS: TouchID integration for web and native applications
- Linux: Growing support through various implementations
Best Practices for Implementation
For Developers
- Progressive Enhancement: Implement passkeys alongside existing authentication methods
- Fallback Options: Provide alternative authentication for unsupported devices
- User Education: Help users understand passkey benefits and usage
- Testing: Test across different devices and browsers for compatibility
For Users
- Enable Screen Lock: Ensure device has PIN, password, or biometric protection
- Keep Devices Updated: Use latest OS versions for security and compatibility
- Backup Strategy: Understand how passkeys are backed up and restored
- Multiple Authenticators: Register multiple devices for redundancy
Migration from Passwords
Gradual Transition
- Hybrid Approach: Allow both passwords and passkeys during transition period
- User Choice: Let users opt-in to passkey authentication
- Education: Provide clear information about passkey benefits
- Support: Offer assistance for users adopting new technology
Account Recovery
- Multiple Options: Provide various recovery methods for account access
- Backup Authenticators: Encourage registration of multiple authenticators
- Support Channels: Maintain traditional support options during transition
Conclusion
Passkeys represent a significant advancement in authentication technology, offering enhanced security, improved user experience, and resistance to common attacks. By understanding the basic concepts, terminology, and implementation considerations, organizations can successfully adopt this technology to provide better security for their users while maintaining usability.
The transition to passkeys is part of a broader movement toward passwordless authentication, driven by the need for stronger security and better user experiences. As browser support continues to improve and user familiarity grows, passkeys are positioned to become the standard authentication method for web and mobile applications.