Passkeys overview

Passkeys are a biometrics-based, phishing-resistant, replacement for passwords. They were developed by the Fast Identity Online (FIDO), an alliance of cybersecurity experts dedicated to creating secure, frictionless authentication standards that eliminate the world's over-reliance on passwords.

What are Passkeys exactly

Passkeys are FIDO credentials that utilize local biometric verifications like FaceID or TouchID to generate asymmetric public-private keys for authentication. The public key is registered and stored with the application, or relying party, the end user is authenticating into. The private key is stored on the device, or client, that was used for biometric verification.

Passkeys diagram

During authentication, the client signs a message with its private key pair, which is protected by some local privileged verification like FaceID, TouchID, PIN, or swipe pattern. The message's signature is then verified by the relying party's server using the public key obtained during the registration.

Due to its cryptographic nature, Passkeys have a strong security posture. Not only is the private key never exposed, but they are also scoped to a single relying party. End users must create a Passkey per website.

Passkeys are multi-device

Passkeys are stored in primarily two ways:

  1. A passkey can be device-bound to a mobile device, computer, or an external device like a Yubikey.
  2. A passkey can be synced in the cloud by a provider and easily accessible from any connected device.

With cloud support from platforms like Apple, Google, and Microsoft, and credential managers like 1Password, Passkeys can be synced and made available across multiple devices, operating systems, and browsers just like other cloud-synced features like a user’s photos, contacts, emails, and documents.

In cases where a passkey is device-bound, users can still authenticate across multiple devices by utilizing a "hybrid protocol" or "hybrid transport", which can involve scanning a QR code with a mobile device and transmitting a one-time Passkey in close proximity via Bluetooth or connecting with a YubiKey via NFC or Bluetooth.

Passkeys and WebAuthn

The two technologies are inherently related.

Passkeys are built on top of the WebAuthn standard, a web specification that defines the use of strong, attested, scoped, public key credentials by web applications. The term Passkeys refers to the multi-device usage of FIDO credentials, rather than the restricting of the private key to a single device.

In other words, Passkeys are multi-device credentials created by the WebAuthn standard.

Stytch Passkeys

Stytch enables developers to implement Passkeys while conveniently using the same WebAuthn endpoints. By integrating atop the WebAuthn API, developers have full flexibility and control when creating FIDO credentials.

Set the return_passkey_credential_options field to true when calling the Start WebAuthn Registration endpoint or Start WebAuthn Authentication endpoint.

curl --request POST \
  --url https://test.stytch.com/v1/webauthn/register/start \
  -u '{PROJECT_ID}:{SECRET}' \
  -H 'Content-Type: application/json' \
  -d '{
    "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6",
    "domain": "example.com",
    "return_passkey_credential_options": true
  }'

What's next

Check out our SDK guide to start building Passkeys into your application.