How do passkeys work?

Cybercriminals are getting more sophisticated every day. Meanwhile, too many people are still protecting their accounts with "Password123."

One key area of cybercriminal activity is user account security, which is most often handled with a username/password combination. Combine that with uninformed users, and bad actors have a much easier time.

• Easy passwords.

• Repeated passwords.

• No multi-factor authentication.

Each of the above contributes to the problem.

Fortunately, there's a new security tool that is gaining popularity: passkeys. Passkeys are a replacement for passwords and use biometric authentication, like a fingerprint scan or facial recognition, to help lock down sensitive data with a more secure user verification process.

Passkeys are a secure, cryptographic method for authenticating users without passwords, offering better online security, safety, and ease of use. Once set up, passkeys are easier to use than passwords and exponentially more secure because their strength doesn’t depend on the user.

More and more websites are adopting this passwordless technology, including many big tech companies such as Google, Amazon, Apple, and Microsoft. 

Passkeys are a form of passwordless authentication that replaces traditional passwords. They can be used on most operating systems within a password manager and leverage public key cryptography that has been under development for more than 10 years. The FIDO Alliance was founded in 2013 to shepherd and drive the technology, ensuring universal, open standards, and is supported by a long list of members and sponsors, including Bitwarden. Passkeys leverage the WebAuthn cryptographic protocols developed by the alliance, hailed as the gold standard in secure authentication.

At their core, passkeys are designed to replace passwords and are quite simple thanks to public key cryptography. 

When a user registers for a new account on a website or app (that supports passkeys), they will be asked to create a passkey. When prompted, simply scan the provided QR code with a phone to automatically create the passkey. 

That passkey consists of two keys: a public key and a private key. The public key is stored on the server, and the private key is stored on the user's device. Once a user creates the passkey, they’ll be prompted to use it to access that site. All that’s left to do is use fingerprint or facial biometrics on a phone to log in.

To sign in to a passkey-enabled website, the site will send a login challenge — a really large random number — and the user’s secret key will use cryptography to “sign” the challenge with a response to it. The website checks the signature against its public key to verify authenticity. Once confirmed, the website can grant the account access.

Because each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters, the authentication process is significantly more secure. While those two keys differ from each other, they do have a special relationship: one can decrypt messages (private key on a user's device, which is supported by most operating systems) that have been encrypted by the other (public key on the server). That key pair is used to verify and authenticate the user.

Unlike passwords, the key pair consists of a private key, which is kept securely on the device or in a password manager that supports passkeys (also called a passkey provider), and a public key, which is stored on the website a user is logging into. One of the most important things about these key pairs is that the private key is secure and never leaves the operating systems on which they are stored, and the password manager keeps it locked through biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, for example, in the case of a website data breach, and security still would not be compromised so long as the private key remains secure.

Here’s a popular analogy to help understand asymmetric key pairs. The infographic below explains the steps for using a passkey and its key pair to verify a user’s authenticity when logging into a website.

Thanks to the public-private key pair, passkeys are far better equipped to prevent phishing attacks and better ensure user privacy.

Bitwarden Password Manager supports creating and storing passkeys, making it easy to manage them. 

Get started today with a free account or share with your team by starting a free business trial. 

For developers, Bitwarden Passwordless.dev provides API frameworks to help you build discoverable FIDO credentials such as passkeys.