Passkeys are a passwordless authentication method that replaces the traditional username and password combination with a pair of cryptographic keys, where one key is stored securely on the user's device and a corresponding public key is registered with the service the user wants to access.
When a user registers a passkey with a website or application, the device generates two mathematically linked keys. The public key is sent to and stored by the service. The private key never leaves the device and is protected by the device's secure hardware, such as a TPM chip or Secure Enclave. When the user returns to log in, the service sends a cryptographic challenge that only the private key can answer. The user verifies their identity using the device's built-in authentication method, which can be a fingerprint sensor, facial recognition, or a PIN. The private key signs the challenge, the signature is sent back, and the service confirms it matches the public key on record. No password is transmitted or stored anywhere.
This architecture addresses several long-standing problems with passwords. Because no shared secret is sent over the network, there is nothing for an attacker to intercept in transit. Because the service only holds a public key that cannot be reversed to reveal credentials, a breach of the service's database exposes nothing that an attacker can use to log in. Phishing attacks are also rendered ineffective, since passkeys are cryptographically bound to the specific domain they were created for and cannot be submitted to a fraudulent lookalike site.
Passkeys are built on the FIDO2 standard and its underlying web specification, WebAuthn, developed by the FIDO Alliance and the World Wide Web Consortium. Major platform providers including Apple, Google, and Microsoft have integrated passkey support into their operating systems and browsers, meaning passkeys can sync across a user's devices through their respective cloud ecosystems, for example via iCloud Keychain or Google Password Manager.
From an end-user perspective, passkeys reduce authentication to a biometric gesture or device unlock, eliminating the need to remember, rotate, or recover passwords. From a security perspective, they remove the category of credential-based attacks entirely rather than attempting to mitigate it. Passkeys represent a shift in how identity verification works online, moving from something a user knows to something a user possesses and can verify locally on their device.