Passwords are the weakest link in security: reused, phished, and stolen in breaches. Passkeys, built on the FIDO2 / WebAuthn standards, replace them with public-key cryptography. There is no shared secret to steal, and authentication is intrinsically phishing-resistant.
Working principle
When you register, your device generates a key pair: the private key never leaves the device (often protected by a secure enclave), and the public key is sent to the service. To sign in, the service issues a random challenge; the device signs it with the private key — unlocked by your fingerprint, face or PIN — and returns the signature, which the service verifies with the stored public key. Because the credential is bound to the site's origin, a fake phishing site cannot trigger it.
| Property | Password | Passkey |
|---|---|---|
| Shared secret | Yes (stored on server) | No — only public key |
| Phishing | Vulnerable | Resistant (origin-bound) |
| Breach impact | Credentials leaked | Public keys useless alone |
| UX | Type / remember | Biometric tap |
Why nowSynced passkeys (via platform keychains) solve the old hardware-token problem of device loss, making passwordless practical for consumers — the reason passkeys went mainstream in 2024–2026.
Applications
- Consumer account sign-in across major platforms
- Enterprise SSO and phishing-resistant MFA
- High-assurance access for finance and government
References & further reading
- W3C, “Web Authentication (WebAuthn) Level 2,” Recommendation, 2021.
- FIDO Alliance, “FIDO2: WebAuthn & CTAP” specifications.
- Lyastani et al., “Is FIDO2 the Kingslayer of User Authentication?,” IEEE S&P, 2020.