Passkeys

Passkeys serve as a substitute for passwords, offering faster, simpler, and more secure logins across various devices for users accessing websites and applications. They differ from traditional passwords as passkeys are more secure and resistant against phishing attacks. They streamline the process of account registration for both apps and websites.

Passkeys rely on public key cryptography for authentication instead of user-entered passwords. This is more secure because no password is being transferred to an application server. Instead, a public/private key pair is used to authenticate with a given app. The public key is stored on the app’s server, and the matching private key is stored on the user’s device.

The private key is never shared with the app itself.

How does it work?

When a user attempts to log in, the server issues a challenge which is only solved by proving the user has the required private key. This is typically achieved through a device unlock mechanisms such as biometrics or a device PIN. Once unlocked, the private key solves the challenge and sends it back to the server to be validated by the associated public key.

This all take place behind the scenes, creating a more user-friendly experience.

Relying Party ID

Relying Party ID is the domain to which passkeys are bound. Once bound to a domain, the RP ID can be used on subdomains but not other full domains.

Example case

Using the Relying Party ID of boulangerie.com allows the use of credentials on help.boulangerie.com for example, but not on a different full domain like boulangerie.fr. In this case, customers would need a common login page for passkeys for varying full domains like the stated example here.

The RP ID ensures that the passkey is used only for the intended website or service, preventing phishing attacks.

This concept is standard across web, iOS, Android, and other platforms. Each platform implements the RP ID to verify the authenticity of the service requesting authentication.

For more platform-specific details, see Passkeys on iOS and Passkeys on Android.

Discoverable and Non-discoverable logins

Both discoverable and non-discoverable logins are supported across the various operating systems and platforms, making them a universal aspect of passkey authentication.

  • Discoverable login

  • Non-discoverable login

These are credentials that can be used without requiring any additional user input, like a username. They are associated directly with the user’s device and can be selected from a list of stored credentials.

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#00c24a', 'fontSize': '20px', 'noteBkgColor': '#c1c1c1', 'edgeLabelBackground':'#eee', 'tertiaryColor': '#e1e1e1'}}}%%
sequenceDiagram
    participant User
    participant Device
    participant ReachFive

    User->>ReachFive: Navigates to login page
    ReachFive->>Device: Requests discoverable credentials
    Device->>User: Prompts for biometric/PIN
    User->>Device: Provides biometric/PIN
    Device->>ReachFive: Sends public key credential
    ReachFive->>ReachFive: Verifies credential
    ReachFive->>User: Grants access

These require the user to input additional information, such as a username, to locate and use the appropriate passkey.

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#00c24a', 'fontSize': '20px', 'noteBkgColor': '#c1c1c1', 'edgeLabelBackground':'#eee', 'tertiaryColor': '#e1e1e1'}}}%%
sequenceDiagram
    participant User
    participant Device
    participant Service

    User->>Service: Navigates to login page
    Service->>User: Prompts for username
    User->>Service: Enters username
    Service->>Device: Requests non-discoverable credentials
    Device->>User: Prompts for biometric/PIN
    User->>Device: Provides biometric/PIN
    Device->>Service: Sends public key credential
    Service->>Service: Verifies credential
    Service->>User: Grants access

FAQs

Can I use browsers other than Chrome on my smartphone?

You can create biometrics credentials with browsers other than Chrome on Android and Safari on iOS. However, support for WebAuthn and Passkeys standards may vary and experiences may not be optimal.

Can I use a passkey created on Chrome desktop on my Android device?

As of 2024-09-06, no.

The passkey created on Chrome desktop can only be used on the same device.

Can I use a passkey created on one Android device on another Android device?

Yes.

Passkeys created on Android devices are synced using Google Password Manager. As long as the Android devices are connected to the same Google account, passkeys can be used on one device or the other.

Do I always have to create a passkey on the same device?

No.

You can register on a website by creating a passkey on a different device that the one you’re using. There is a QR Code flow that can be scanned from the other device that should hold the passkey.

Keep in mind that the device displaying the QR Code and the one scanning it must be physically close to perform Bluetooth communications to further secure the process.

Can I use a passkey created with Dashlane on all my devices?

Yes.

Dashlane handles complete synchronisation of the passkeys with all connected devices and browsers.

Can I use a passkey created with my iPhone on my other Apple devices?

Yes.

Apple synchronises your passkey using your iCloud Keychain, making the passkey available across all the devices connected to your Apple account. The passkey can then be used even though the biometrics authentication isn’t the same (e.g., Touch ID on Mac, Face ID on iPhone, Face ID or Touch ID on iPad, and so on).