Resources User's Guide to Passkeys

A User's Guide to Passkeys

Everything you need to get started with passkeys: what they are, how they work and how to use them

What Are Passkeys?

Passkeys are a digital credential that can be used to log into websites and applications. Based on FIDO (Fast IDentity Online) standards, passkeys were designed to provide a secure, user-friendly method of authentication that does not use any passwords.

By removing the need for passwords, passkeys can make your login experience easier and more secure. Passkey authentication eliminates credential stuffing and other attacks that use stolen or cracked passwords. It also protects you against phishing sites as the passkey is linked to a specific website or application.

Passkey authentication requires either biometric authentication, such as a fingerprint or facial recognition, a PIN or a swipe pattern (on Android devices) for access. Passkeys are secret keys that stay on your personal devices that can be used for authenticating to applications and websites on your phone, tablet or laptop. They leverage the Web Authentication API security standard, which uses public key cryptography for access. Each key is unique and created with encrypted data for added security.

Types of Passkeys

There are two primary types of passkeys, which differ in their usage and functional purpose.

Multi-Device / Synced Passkeys

For the most part, this guide concerns the type of multi-device passkeys meant for consumer use. They have some limitations in security and functionality for enterprise environments (e.g., cannot be used for desktop login, do not meet regulatory requirements for an independent possession factor, and lack other critical enterprise capabilities).

Device-Bound Passkeys

A device-bound passkey, also called an Enterprise Passkey, is significantly more robust in terms of its functionality and ability to operate within a technology stack, covering the entire range of enterprise use cases.  HYPR's fully FIDO Certified passwordless MFA solution provides this type of passkey. You can read more about the HYPR technology here.

Overview of How Passkeys Work

Passkeys work through an API called Web Authentication, commonly called WebAuthn. WebAuthn is a joint initiative of the World Wide Web Consortium (W3C) and the FIDO Alliance, an industry association that works to end our overreliance on passwords.

Instead of a password, WebAuth uses public and private keys – otherwise known as public-key cryptography – to verify that you are who you say you are. Public and private keys are mathematically linked to one another. You can think of them like interlocking puzzle pieces; they’re designed to go together, and you need both pieces to authenticate successfully. Unlike a traditional password, the private key is never shared with the site you want to sign in to, or stored on their servers.

When you visit a website that supports passkeys, you can choose to secure your account with a passkey, rather than a traditional password. The website’s server communicates information about the website, and asks you to confirm your authenticator. This could be your phone, tablet or PC. A passkey — which includes your public and private key pair — gets generated for that specific website. This happens locally, on your device. The public key is stored on the website’s server, while the private key remains securely stored in your authenticator.

To sign in, the website sends an assertion challenge to your authenticator. You then must take the required action on the authenticator, such as entering a PIN or presenting a biometric. Your authenticator then signs the authentication assertion with your private key and sends it back to the website. The website verifies the signed authentication assertion using their copy of your trusted public key, and you gain access.

All of this happens behind the scenes. All you need to worry about is setting up the passkey and unlocking it with the required action.

Comparing Passkeys and Passwords

The table below compares passkeys and passwords to understand their respective strengths and weaknesses:

Pros of Passkeys Pros of Passwords
Enhanced Security Passkeys use public-private key cryptography, making them more secure against various attacks. Familiarity Passwords have been around for a long time, and users are accustomed to the concept.
Passwordless Passkeys eliminate the need for users to remember complex passwords, reducing the risk of weak password usage. In addition, passkeys remove the reusing of passwords across different services. No Device Dependency Users can log in from any device with their passwords. Passkeys require users to have their devices accessible for authentication.
No Phishing Since passkeys are not entered by a user or shared, they cannot be phished or intercepted during transmission. Supported by all websites and apps While there is global acceptance of passwords, passkeys are still a new alternative form of securing accounts and as such are not as globally accepted.
 

How Secure are Passkeys?

As one of the top entry points for cyberattacks, the security of authentication methods is of utmost importance. Passkeys offer a much more secure alternative to traditional passwords.

Leveraging public-private key cryptography, passkeys are phishing-resistant, providing enhanced protection against common attack vectors, such as credential phishing, brute force attacks, credential stuffing, AitM (adversary-in-the-middle) and other attacks on authentication.

Passkeys' security lies in the fact that, unlike passwords and some other forms of authentication, such as one-time-passwords (OTPs), SMS and email links, there are no shared secrets. The confidential credential information is not transmitted and is decentralized, rendering interception, theft, breaches, or cracking implausible.

Passkeys offer a promising solution to the vulnerabilities of traditional password-based authentication. Passkey authentication uses on-device verifiers, like the TouchID used to log into a computer or the face scanning used to unlock a phone, and combines this with public-key cryptography to prove identity to the website or app.

"With the industry at an inflection point, passkeys promise to be the vehicle to tip us over by finally presenting the world with a phishing-resistant, user friendly and scalable alternative to passwords as a primary authentication factor.”

Andrew Shikiar, Executive Director & CMO, FIDO Alliance
Source: The State of Passwordless Security Vol.3

For a discussion on the security merits of passkeys, explore the article “Are Passkeys Safe?” on HYPR's blog.

Who Creates Passkeys? 

Passkeys are created by you on your device and copied across your Google, Apple, and Microsoft accounts on your phones, tablets, and laptops. 

  • Apple announced support in iOS 16 in Sep 2022, and iPadOS 16 and macOS Ventura in October 2022.
  • Google announced support in Android starting October 2022 and ChromeOS in December 2022.
  • Microsoft Windows is set to deliver support in 2023.

Many browsers already support sign-in with a passkey from a nearby device such as a mobile phone or security key. These include:

  • Microsoft Edge and Google Chrome on Windows
  • Edge, Safari and Google Chrome on macOS
  • ChromeOS

How You Log In With Passkeys

Passkeys are accessed using the same WebAuthn API that has been available across all the platforms and browsers since 2018. The cross-device sync of passkeys is managed transparently by the OS.

Websites that support passkeys use the passkey icon shown below:

passkey-icon-transparent

For any website or application that you have set up passkey authentication, you will be asked if you want to sign in using your saved passkey. You then authorize using the same biometric or PIN that you use to unlock your device and you’ll be signed into your account.

The login experience might look like this:

Best-buy-passkeys

Can You Lose a Passkey?

For shareable passkeys (typical of individual passkeys) it is possible to lose a passkey if it hasn’t been copied to your other devices automatically or if you lose all your devices that are tied to your Apple or Google accounts. 

For enterprise passkeys, FIDO specifies they should be available only from a single device from which they cannot be copied. Such passkeys are sometimes referred to as “single-device passkeys”. In such a case retrieval difficulties vary depending on how the instance is configured. See more about individual vs. enterprise passkeys below.

How to View Your Passkeys

On iOS Devices (Apple iPhone or iPad)

Passkeys are located In Settings > Passwords , You can view listing of the sites with corresponding passkeys. Use the “Delete Passkey” button to revoke the passkey.

Settings: ios-settings Passwords: ios-passwords Passkey: ios-passkey

On Android Devices

Passkeys from Google Password Manager are available to all Android apps, including Chrome and other browsers. Passkeys are stored on an Android device when the user creates a passkey. The passkeys are encrypted end-to-end and then synced with the user's other Android devices. This makes passkeys available to the user across all Android devices that use Google Password Manager, as long as they are signed in with the same Google account.

  1. On your Android phone or tablet, open your device's Settings app
  2. Tap Passwords & accounts
  3. Tap Google in Passwords section
  4. Passkeys will be shown at the bottom of the list

On Samsung

Settings > Privacy > Autofill service from Google > Password

OR

Settings > General Management > Passwords and autofill > Google > Password Manager

samsung-passwordmanager-passkey

On Your Mac Computer

In the Chrome Browser

In the chrome browser, navigate to chrome://settings/passkeys:

mac-passkeys

NOTE: Apple keeps passwords and passkeys in the same location and are indistinguishable until you select the website.

In the Safari Browser

To View saved passkeys in Safari:

  1. Open Safari
  2. From the Safari menu, choose Settings (or Preferences), then click Passwords
  3. Sign in with Touch ID, or enter your user account password
  4. Select a website

safari-passwords

In System Settings

To view saved passwords and passkeys in System Settings:

  1. Choose Apple menu > System Settings. 
  2. Click Passwords
  3. Sign in with Touch ID, or enter your user account password
  4. Select a website, then click the Show Details button

apple-system-setting-passkeys

On Your Windows PC

You cannot view multi-device passkeys in any current version of Windows. You can view local single-device passkeys in Chrome on Windows 11 only (not Windows 10). To view single-device passkeys on Windows 11, open Chrome and enter chrome://settings/passkeys in the URL bar.

Windows 11 example:

windows-11-passkeys

How To Revoke Passkeys

On iOS Devices (Apple iPhone or iPad)

Passkeys are located In Settings > Passwords , You can view listing of the sites with corresponding passkeys.

Use the “Delete Passkey” button to revoke the passkey.

Settings: ios-settings Passwords: ios-passwords Passkey: ios-passkey

On Android Devices

Passkeys are revoked by navigating to: Settings > General Management > Passwords and autofill > Google

If there are multiple accounts on the device, select the account in which the passkeys were created. Google Password Manager opens and displays a list of stored passkeys. Select the specific domain which the passkeys were registered to and hit “Delete.”

Google Password Manager: Android-passkey-manager Example: Android-passkey-manager-example-account

On Your Mac Computer

In the Safari Browser

Via Safari, navigate to “Develop”, and then select “delete platform credentials.”

safari-revoke-passkeys

On Your Windows PC

Managing passkeys on Windows is only supported on Windows 11. The user has the option to delete the passkeys that are local to the Windows host. This is performed by opening Chrome and entering chrome://settings/passkeys as the URL. Chrome will display the local passkeys. Select the menu next to the one you want to delete and select the delete option (the only option available). See image below:

revoke-passkey-windows11

Copying Passkeys to a New Device

New iOS Device (Apple iPhone or iPad)

Passkeys are stored in iCloud Keychain, so they’re automatically available for use as soon as you enable iCloud Keychain on your new iOS device.

To turn on iCloud Keychain on your new iOS device:

  • Tap Settings, tap [your name], then choose iCloud.
  • Tap Passwords and Keychain.
  • Turn on iCloud Keychain. You might be asked for your passcode or Apple ID password.

New Android Device

Passkeys will automatically be copied between Android devices provided that:

  • The same Google email account is logged on for each Android device
  • The Google email account in question has “Sync” enabled
  • All of the Android devices need to have the Screen Lock explicitly enabled because this feature is used to encrypt the passkeys. Without all devices having the Screen Lock enabled, the “other devices” will not be able to leverage them. This is different from having your phone protected by PIN or Biometric. It needs to be explicitly set. See: https://support.google.com/android/answer/9079129?hl=en
  • This is accomplished on Android by going to Password Manager and clicking the “gear” next to it. Note: This is different from “On-Device encryption."

android-passkeys-new-device-1

  • Upon first attempt to leverage a passkey from another device, you will be prompted for that device's Screen Lock.

android-passkeys-new-device-2

New Mac Computer

Passkeys are stored in iCloud Keychain, so they’re automatically available for use as soon as you enable iCloud Keychain on your new Mac. 

To turn on iCloud Keychain on your new Mac Computer:

  1. Choose Apple menu > System Settings (or System Preferences)
  2. Click your name, then click iCloud. In earlier versions of macOS, click Apple ID, then click iCloud in the sidebar
  3. Turn on Password & Keychain

New Windows PC

You can use both multi-device passkeys and single-device passkeys for Chrome/Edge on both Windows 10 or 11. Log into Chrome/Edge and have Sync set up.

For example, a passkey exists on your phone for https://awsq1.biometric.software. On a Chrome browser on the Windows workstation, you navigate to https://awsq1.biometric.software. You are logged into Chrome with the same account for which the passkey was generated. Upon login, select “Passkey” or “Use Platform Authenticator.” The browser will present an option to scan a QR Code or send a notification to known devices associated with that Google account. 

Both options allow you to leverage their mobile device’s passkey to authenticate to the website.

Note: Even after this type of passkey authentication, the passkeys will not be shown in Chrome. You can only see/manage single-device passkeys on Windows 11.

Passkeys FAQs

Can I use my passkey from my iOS device on my Android device?

At the time of this writing, cross platform or cross ecosystem is not supported.

Can I use my passkey from my Android device on my iOS device?

At the time of this writing, cross platform or cross ecosystem is not supported.

Can I use my passkey from my iOS device on my Windows Computer?

If you have installed iCloud for Windows and have keychain sync enabled, your passkeys will be available on the Windows device. 

Can I use my passkey from my Android device on my Windows Computer? 

Android and Chrome leverage the Google password manager. Your passkeys will be made available to you through the use of the Chrome web browser.

Can I use the passkey on my phone to get into a website on my computer? 

Yes. as long as the Service Provider “Relying Party” enables the support for it. You will see a dialog presented like the following:

passkey-to-website-signin-1

passkey-to-website-signin-2

Can I use the passkey on my computer to get into an app or website on my phone? 

When leveraging passkeys which have been synced. The passkey will be available on any devices leveraging either iCloud Keychain or the Google Password Manager. 

Can I use passkeys on a shared computer, for example at a library?

Passkeys are synced by the underlying platform such as Mac/Win/Android. To do so:

  • You must be logged into your Apple/Google/MS account
  • iCloud keychain or Google password manager must be enabled 

In instances where you are not logged into your personal account, such as a public computer, passkeys won’t work. Personal account logins on public computers are not recommended. You can, however, use the passkey on your phone to log into the shared computer. 

Can I share my passkey with my spouse, kids, friends, etc.? 

With Apple generated passkeys it is possible to airdrop your passkey to any mutual contacts. This is useful for backup only with someone you trust. Anything less can pose a significant security risk. As long as both individuals have each other within the contacts app in iOS and are within AirDrop range of each other, it is possible to share your passkey.

Can I use a passkey on my Apple Watch? 

Passkeys require either Face ID or Touch ID. Apple Watch is not supported.

Passkey Authentication with HYPR

As technology advances and the demand for tough authentication grows, passkeys are poised to revolutionize how we secure our digital identities and interact with online services. The strides made by Apple, Google, and other companies in the realm of passwordless authentication have brought significant attention to the issue of authentication security. Their endorsement of FIDO standards reinforces the idea that this approach holds promise for the future.

However, it is essential for organizations to recognize that off-the-shelf solutions may not encompass the required scalability and comprehensive functionality. As the landscape continues to evolve, HYPR, a pioneering company in passwordless authentication, stands equipped with a profound understanding of potential challenges, empowering enterprises to make well-informed decisions when integrating passwordless authentication into their operations.

HYPR supports both synced passkeys and advanced device-bound enterprise passkeys. Read more here on how to deploy the right FIDO passkeys for your enterprise. HYPR enables organizations to implement secure and convenient passwordless authentication methods.

Related Resources