LLMpediaThe first transparent, open encyclopedia generated by LLMs

Passkeys

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Safari (web browser) Hop 4
Expansion Funnel Raw 87 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted87
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Passkeys
NamePasskeys
DeveloperFIDO Alliance, World Wide Web Consortium
TypePublic-key cryptography

Passkeys. A modern authentication method replacing passwords with cryptographic key pairs. Developed by the FIDO Alliance in collaboration with the World Wide Web Consortium, it leverages the WebAuthn standard to enable passwordless sign-ins. This approach aims to eliminate common security vulnerabilities associated with password managers and phishing attacks by using device-based biometrics or PINs.

Overview

The fundamental principle relies on asymmetric cryptography, where a unique key pair is generated for each website or application. The private key remains securely stored on a user's device, such as a smartphone or security key, while the corresponding public key is registered with the online service. During authentication, the service sends a challenge that must be signed by the private key, a process typically unlocked locally via Touch ID, Windows Hello, or a hardware token. This model shifts security from shared secrets to cryptographic proof, significantly reducing risks from data breaches at companies like Facebook or Equifax. Major proponents include Apple, Google, and Microsoft, who have integrated support across their ecosystems including iOS, Android, and Windows 11.

Technical implementation

Technically, creation and use are governed by the FIDO2 project standards, primarily CTAP and WebAuthn. When a user registers, their client device, such as an iPhone or YubiKey, generates a new credential bound to the relying party's domain name. This binding prevents credential misuse on fraudulent sites mimicking Bank of America or PayPal. The private key is never exported from its secure enclave, such as an Apple Secure Enclave or Google Titan Chip. For cross-device authentication, systems may use QR code scans or Bluetooth to facilitate login from an untrusted device to a trusted one, a process involving protocols like CAEP. Cloud synchronization of passkey metadata across devices via services like iCloud Keychain or Google Password Manager is a common convenience feature.

Security and privacy

Security advantages are substantial, as they are inherently resistant to server breaches, credential stuffing, and man-in-the-middle attacks. Since no secret is transmitted or stored on a remote server, incidents like the SolarWinds hack or Colonial Pipeline ransomware attack would not compromise authentication keys. Privacy is enhanced because each site gets a unique key pair, preventing tracking across different services like Amazon and The New York Times. The biometric data used for local unlock never leaves the user's device and is not shared with Netflix or GitHub. However, risks include physical device theft or coercion, mitigated by device PINs and rate limiting.

Adoption and support

Adoption has been driven by integration into major operating systems and web browsers. Apple introduced system-wide support starting with macOS Ventura and iOS 16, while Google enabled them for Google Accounts on Android and Chrome. Microsoft allows passkey use for Microsoft Accounts via Windows 11. Notable online platforms implementing support include eBay, Best Buy, PayPal, and GitHub. The FIDO Alliance continues to promote standards, with members like NIST providing guidelines. Challenges remain for legacy systems at institutions like the Internal Revenue Service or Bank of America, and user education is critical for widespread replacement of password-based logins.

Comparison with traditional authentication

Compared to traditional password-based authentication, passkeys remove the need for users to create, remember, or type complex strings, reducing human error. They are superior to two-factor authentication methods involving SMS or authenticator apps like Google Authenticator, which can be vulnerable to SIM swapping or phishing. Unlike single sign-on solutions from Facebook or Google, passkeys do not create a central dependency or tracking profile. While hardware security keys from Yubico offer similar security, passkeys provide greater convenience through built-in device integration and cloud sync, though this introduces a reliance on Apple, Google, or Microsoft ecosystems for backup and recovery.