A passkey is a cryptographic credential (a public/private key pair) stored on the user’s device. When signing in, the device signs a challenge from the server with the private key, proving ownership without ever transmitting a shared secret.
How it works
- On registration: the device generates a key pair, sends the public key to the server, keeps the private key locked behind biometric unlock (Face ID, Touch ID, Windows Hello).
- On sign-in: the server sends a random challenge. The device signs it with the private key. The server verifies with the public key. Done.
Why it matters
- Phishing-resistant — the private key never leaves the device, and the signing process is scoped to the specific origin. A phishing site can’t capture anything reusable.
- No shared secret — even a full server compromise doesn’t leak passwords or reusable credentials.
- Biometric UX — signing in is a fingerprint or face scan, faster than typing a password.
The standard
Passkeys are built on WebAuthn (FIDO2). They sync across a user’s devices via Apple iCloud Keychain, Google Password Manager, or 1Password.
When to offer them
For any consumer-facing product with frequent sign-ins, passkeys are a clear UX and security win. Offer them alongside password and SSO options — users adopt them gradually.
See the full auth glossary for related terms.