What are passkeys and how do they work?
Passkeys are digital credentials that are tied to a user account and a website or application. They allow users to authenticate without having to enter a username, or password, or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.
When a user wants to sign in to a service that uses passkeys, their browser or operating system will help them select and use the right passkey. The experience is similar to how saved passwords work today. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device. This may be performed with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern.
To create a passkey for a website or application, a user first must register with that website or application. They can then follow these simple steps:
- Go to the application and sign in using the existing sign-in method.
- Click Create a Passkey button.
- Check the information stored with the new passkey.
- Use the device screen unlock to create the passkey.
When they return to this website or app to sign in, they can take the following steps:
- Go to the application.
- Click Sign in.
- Select their passkey.
- Use the device screen unlock to complete the login.
The user's device generates a signature based on the passkey. This signature is used to verify the login credential between the origin and the passkey. A user can sign into services on any device using a passkey, regardless of where the passkey is stored. For example, a passkey created on a mobile phone can be used to sign in to a website on a separate laptop.
What are the benefits of using passkeys?
Passkeys offer several advantages over passwords for both users and service providers. Some of these benefits are:
Security: Passkeys use public key cryptography to ensure that only the user who owns the passkey can use it. Passkeys are also protected from unauthorized access and use by encryption and device unlock mechanisms. Passkeys provide robust protection against phishing attacks, unlike SMS or app-based one-time passwords. Each passkey is unique to each service a user uses, too, meaning that there’s no risk of one compromised account compromising every other account using a passkey.
Convenience: Passkeys eliminates the need for users to remember and manage passwords for different accounts. Users can sign in with a simple gesture, such as touching their fingerprint sensor or looking at their camera. Passkeys also enable seamless sign-in across devices, as users can temporarily share their passkey to a new device by scanning a QR code or using AirDrop for Apple devices.
Privacy: Passkeys do not reveal any personal information about the user, such as their email address or phone number. Passkeys also do not require any third-party verification service, such as an identity provider or an authentication server. All Google sees out of the transaction is the signature generated and the public key.
How can I start using passkeys?
Passkeys are still in the early stages of development and adoption, but some major tech companies have already started implementing them in their products and services. Google has rolled out its passkey technology to Google accounts from May 2023, marking “the beginning of the end” for passwords for Google accounts. Users can enable passkeys with Google by signing into their account with their existing password by heading to the [passkey setup page](https://g.co/passkeys.com). At the Passkeys screen, click the button for Use Passkeys.
Apple has also begun using the technology in iOS16 and the latest MacOS release and Microsoft has been using it through the Authenticator app. Users can expect more websites and apps to support passkeys in the upcoming future.