Passkeys are used to authenticate without passwords, making the login experience simpler and more secure. Passkey authentication eliminates credential stuffing and other attacks that use stolen or cracked passwords. It also protects users against phishing sites as the passkey is linked to a specific website or application.
Passkey authentication requires either biometric authentication — such as a fingerprint or facial recognition — or a PIN or swipe pattern used with Androids for access. Passkeys are secret keys that stay on the user's personal devices that can be used for authenticating to applications on phones, tablets, or laptops. They were created in with the Web Authentication API security standard that uses public key cryptography for access. Each key is unique and created with encrypted data for added security.
Passkeys are created by the user on their device and copied across their Google, Apple, and Microsoft accounts on their phones, tablets, and laptops.
- Apple announced support in iOS 16 in Sep 2022, and iPadOS 16 and macOS Ventura in Oct 2022.
- Google announced support in Android starting October 2022 and plans passkey support in ChromeOS by 2023.
- Microsoft Windows is set to deliver support in 2023.
Most platforms already support sign-in with a passkey from a nearby device such as a mobile phone or security key. These include:
- Microsoft Edge and Google Chrome on Windows
- Edge, Safari and Google Chrome on macOS
Passkeys are accessed using the same WebAuthn API which has been available across all the platforms and browsers since 2018. The cross-device sync of passkeys is managed transparently by the OS.
Types of Passkeys
- Individual/Consumer Passkeys: The most commonly discussed type of passkey is meant for individual, not enterprise use. They are limited in security and functionality, (i.e., cannot be used for desktop login, do not meet regulatory requirements for an independent possession factor, and lack other critical enterprise capabilities).
- Enterprise Passkeys: This type of passkey is significantly more robust in terms of its functionality and ability to operate within a technology stack, covering the entire range of enterprise use cases. It should also be FIDO Certified.
Where Can You Use Passkeys?
Websites that support passkeys use the passkey icon shown below:
"I set up passkey authentication on my iPhone for my Best Buy account. Now I just approve passkey sign-in by using FaceID, like I do to unlock my phone, and I can access my account."
The FIDO Alliance Demonstrates Passkeys in Action: