Passkeys serve as a substitute for passwords, offering faster, simpler, and more secure logins across various devices for users accessing websites and applications. They differ from traditional passwords as passkeys are more secure and resistant against phishing attacks. They streamline the process of account registration for both apps and websites.

Passkeys rely on public key cryptography for authentication instead of user-entered passwords. This is more secure because no password is being transferred to an application server. Instead, a public/private key pair is used to authenticate with a given app. The public key is stored on the app’s server, and the matching private key is stored on the user’s device.

The private key is never stored with the app itself.

Passkey flow

When a user attempts to log in, the server issues a challenge which is only solved by proving the user has the required private key. This is typically achieved through a device unlock mechanisms such as biometrics or a device PIN. Once unlocked, the private key solves the challenge and sends it back to the server to be validated by the associated public key.

This all take place behind the scenes, created a more user-friendly experience.