What are Passkeys?

Inspired by Ludwig’s comment, here is my explanation what Passkeys are. Foremost Passkeys are a replacement for passwords. Passkeys are trying to solve the issue of passwords being stolen by attackers and reused to access resources. When a Passkey is generated, your device generates a public and private key pair. The public key you have generated, is stored on the server you are trying to authenticate against. The private key remains on our device. When you try to login to the server, the server sends a challenge to your device. Using your private key, the device generates a response. The server verifies your response using the public key it has stored for your account. If the verification is successful, you will be allowed to login.

As the private key for a given service or server is only stored on your device, there is no risk that the private key gets leaked when the server is compromissed. Neither is there is a risk that the password is leaked on your client device because there is no password you have to enter. This approach makes it impossible to phish a passkey.

Besides storing the passkeys on your device, e.g., your smartphone or laptop, you can use FIDO keys (#reklame) that support passkeys. When using these physical keys, you don’t need to rely on cloud sync services to use your passkeys across multiple devices. The Yubico Yubikeys support up to 25 passkeys, starting with firmware version 5.7 up to 100 passkeys. If you are planning to store a larger number of passkeys, you should consider this FIDO key from Token2. This key allows you to store up to 300 passkeys. Another option is the Titan Security key offered by Google. The Google key can store up to 250 passkeys. Should you go the physical FIDO key route, make sure to get two keys for backup purposes. Else you could potentially lockout yourself in case your FIDO key gets lost or damaged.

13 thoughts on “What are Passkeys?”

  1. With a physical key, you don’t need a cloud sync, but you should store the passkeys on at least two physical keys to be able to log in into your accounts when one physical key is lost/stolen/broken.

  2. Exactly the explanation I needed. I’ll buy a Fido Key soon.
    Many thanks

    LD

  3. Thanks for explaining this. One (small) hassle is that the private key is associated with a device rather than an account, so I need one passkey for my laptop, one for my phone, one for my ipad, etc. Not a big deal but that was what was confusing me about passkeys – I thought I had already set one up for a site & when I tried to use it, it didn’t work – now I realize it was because I was on a different device.

    1. Most services which I have encountered so far that support passkeys, allow for the passkey to be synchronized across devices. But there are also services that implement device-bound passkeys. Your service might fall into the later category.

    1. I was not aware of this. Thanks for sharing. Unfortunately, the Yubikey firmware is hardwired. There is no option to upgrade the firmware after the keys have left Yubico’s factory. Now I have two “outdated” Yubikeys. 🙁

  4. When I use the hardware device, is Mac and iOS supporting these directly?
    Or do I need additional software?
    When NOT using hardware, can I transfer passkeys easily from a device to another?

    1. Yes, the physical keys are directly supported. There is no need to install any additional software. On iPhones the keys are connected using NFC, on Macs using the USB port. If you are using the iCloud Key Chain, the passkeys are synchronized across devices. On a device where you do not have access to your iCloud Key Chain, you can use your iPhone as the key.
      Right now, the easiest way to transfer passkeys is to use a password manager that allows you to synchronise your vault across devices. The FIDO Alliance is working on defining a standard for passkey transfers.

Comments are closed.