If you've already heard of passkeys, you probably know that they are the technology that is supposed to replace passwords. But if you're not sure what passkeys are, or how they work, or how they're better than or different from passwords, don't get down on yourself. Most of the websites promoting passkeys do a terrible job of explaining them. I didn't understand them myself, so I decided to finally dig in and learn how they work. Now that I have a better understanding of passkeys, I can see how they fix certain problems with passwords. And I'd like to help you understand them, too.
One of the reasons I think most explanations of passkeys are confusing is that they fail to distinguish between two different aspects of how passkeys work, the authentication process, and key management. There are a couple prerequisites to understand the rest of this post. You will need to know just a bare minimum about how public and private keys work. You will also need to be familiar with password managers.
How does a password work?
Before we jump into explaining passkeys, it will be useful to review how passwords work. We'll break down passwords into the same two parts, authentication with passwords, and password management. Once we have passwords explained within this framework, understanding passkeys should be pretty straight forward.
Authentication with passwords
Alice decides that she wants to create an account on bob.com.
Alice: I'd like an account, please.
bob.com: Please give me a username and a password.
Alice: OK. I'd like my username to be "xXx4l1c3xXx" and password "hunter2".
bob.com: Great. You now have an account on bob.com.
Now that Alice has an account, what does the login flow look like?
Alice: I'd like to log in, please.
bob.com: OK. What is your username.
Alice: xXx4l1c3xXx
bob.com: OK. If you can prove to me you know the password for xXx4l1c3xXx, I will log you in.
Alice: My password is hunter2.
bob.com: Great. You're logged in.
This is the basic authentication flow for logging in with a password. There shouldn't be anything surprising here. One of the problems with this type of authentication is that to verify Alice's password, the website needs to know her password. This means, if an attacker gets ahold of bob.com's database, there is a possibility that they could discover Alice's password, and use it to take over her account. As we'll see later, passkeys solve this problem.
Password management
Now that Alice has created an account on bob.com, Alice has to keep track of that password somehow. She has a several options available to her. She could simply remember the password. She could write the password down on paper somewhere. She could use a password manager, like 1Password or BitWarden.
If you pay attention to these things, you probably know that using a password manager is the recommended method of keeping track of your passwords. If you rely on remembering your passwords, you are likely to take shortcuts like reusing passwords across multiple websites. This is insecure, because if an attacker gets your password from one website, they might be able to take over your account on other websites.
Writing passwords down can be insecure, because anyone with physical access to your password notebook will be able to compromise your account. A password manager stores your passwords in an encrypted format, to prevent unauthorized access. Password managers have other features to improve security, like helping you create a strong and unique password for each of your online accounts. There's a lot more to be said here, but there are many other good articles covering the benefits of using a password manager. If you don't already use a password manager, I encourage you to start.
How does a passkey work?
We'll follow roughly the same script with passkeys as we did with passwords, so you can see the similarities and differences between the two technologies.
Authentication with passkeys
Alice decides that she wants to create an account on bob.com.
Alice: I'd like an account, please.
bob.com: Please give me a username and a public key.
Alice generates a new public/private key pair locally on her computer.
Alice: I'd like my username to be "xXx4l1c3xXx", and here's my public key.
bob.com: Great. You now have an account on bob.com
Now that Alice has an account, what does the login flow look like?
Alice: I'd like to log in, please.
bob.com: OK. What is your username.
Alice: xXx4l1c3xXx
bob.com: OK. If you can prove to me you know the private key for xXx4l1c3xXx, I will log you in. Here is a blob of data. Please sign it with the private key and send it back to me.
Alice: OK, here's the blob of data with a digital signature.
bob.com: I've used the public key for xXx4l1c3xXx to verify the signature. You're logged in.
If you're familiar with how private and public keys work, this should be pretty simple to understand. For those not familiar, a digital signature is a way to prove you have the private key for a given public key. Bob.com challenges Alice to provide a valid signature, and if she can, she proves she has the private key she generated when creating the account.
One of the big benefits here is that the website only knows Alice's public key. If someone compromises bob.com's database and gets ahold of Alice's account information, there is no way for them to use the public key to log in to her account. To compromise Alice's account, they would have to get her private key, which she never shared with bob.com.
Passkey management
This is where, I think, things differ quite a lot from how passwords work. Instead of having to keep track of a relatively short bit of text, like "hunter2", you have to keep track of a cryptographic key that is something like a kilobyte of random-seeming data. It's not feasible for Alice to remember her private key, or write it down in a notebook somewhere. Even if it were feasible to remember the key, you have to use the key to calculate a digital signature in order to log in. That's not something you can really do by hand. If you use a passkey, you must use something like a password manager to store the key, and generate digital signatures.
This is, in my opinion, the biggest factor that improves security for the average user. You must use some sort of passkey manager. Since every passkey user uses a passkey manager of some kind, secure procedures can be programmed into the passkey managers to prevent attacks like phishing. You know that blob of data that bob.com sends to you and asks you to sign? Your passkey manager can check whether that blob of data actually came from bob.com. If Alice accidentally finds herself on evil-bob.com, a phishing website, and tries to log in, her passkey manager will see that evil-bob.com is not bob.com, and refuse to sign the request.
Most mainstream password managers, such as 1Password and BitWarden, already support the use of passkeys. If you are interested in trying out passkeys, I recommend using one of these password managers to experiment with passkeys. Before messing with login credentials for one of your real accounts, try creating an account on a passkey demo website, like passkeys.io. Passkeys.io just consists of a login screen, and nothing else, so you can safely experiment with creating an account and logging in.
In terms of using your password manager to log in with a passkey, the user experience is most similar to logging in with a password using the auto-fill feature of your password manager. On a website's login screen, you will click the "login with a passkey" button, unlock your password manager, select which account you want to log in with, then the password manager will perform the cryptographic operations outlined earlier in this post to complete the login process.
What's the deal with bluetooth/biometrics/MFA/etc.?
Lots of videos about passkeys make a big deal about logging in with your fingerprint, or connecting your phone to your laptop with bluetooth. Why haven't I mentioned any of that yet? Because they are not strictly necessary. Not necessarily a bad idea, but not central to how passkeys work.
Earlier, I said passkeys force you to use "something like a password manager." There are actually a number of different options for storing and managing your private keys. The technical term here is "authenticator." "Authenticator" is an umbrella term that just means, "the thing that stores your keys, and creates digital signatures." A password manager is just one specific style of authenticator.
Lately, operating systems have begun to offer built-in authenticators to manage your passkeys. These have pros and cons. For example, they may store your passkey in a special bit of secure hardware, but then you may not be able to copy that key to be used on another device. This is why if you store a passkey in this way on your phone, in order to log in on your laptop, your laptop and phone have to talk to each other over bluetooth. This offers a higher level of security, but less convenience, and maybe the danger of losing your passkeys if something happens to your phone. I won't go into much more depth here, because I don't feel I have a good enough understanding to talk about this without misspeaking. The pros and cons of different types of authenticators is also worth a whole article on its own.
If this last section of the post is at all confusing, don't worry too much about it right now. The main point here is that, for the most part, what kind of authenticator you use is up to you. If you want to try out using passkeys, start by using a password manager. While there are pros and cons to different kinds of authenticators, at the very least, using passkeys with a password manager is probably a step up from using passwords with a password manager. And it's definitely a step up from not using a password manager at all. Once you're comfortable with using passkeys with a password manager, start looking into the other types of authenticators and see if they're right for you.
At the very least, I hope this post helped you understand passkeys a little better. And now that you understand passkeys, and see how they can keep your accounts safe, maybe you'll give them a try.
