Passkeys Explained

What Is A Passkey?

A Passkey is a modern login method designed to replace passwords entirely. Instead of typing a password (and often a 2FA code), your device proves your identity using cryptography and a secure key stored on your device. When you create a passkey for a service:

• Your device generates a public key and a private key.
• The public key is stored on the website's servers.
• The private key never leaves your device. You need to create a new passkey per device or browser.

When you log in later:

• The website sends a challenge - a random piece of data that proves the server is legitimate.
• Your device signs it using the private key.
• The server verifies the signature using the public key.

If the signature matches, you are logged in. No password is transmitted. No secret ever leaves your device.

What does this mean in practice?

Instead of typing:

        Email: brian@example.com
        Password: SuperSecurePassword123LOL!
        2FA code: 482019
    

You simply approve the login using:

• Fingerprint - your device's biometric sensor if available
• Face ID - your device's facial recognition system if available
• Device PIN - your device's personal identification number (Could be a 4-6 digit code you set on your Microsoft Account for your device)
• Security key - a physical hardware key

Your device unlocks the private key and signs the login.

Why Do We Need Passkeys?

Passwords have been a problem for decades. Most security breaches still happen because of passwords. Common issues include:

Problem	Example
Password reuse	Same password used on 15 websites
Phishing	User types password into fake login page
Database leaks	Website gets hacked and password hashes leak
Weak passwords	"Password123"

You can check if your current passwords have been leaked using services like Have I Been Pwned - Passwords . A service like this also exists for email addresses: Have I Been Pwned - Email Even with 2FA, passwords remain the weakest link. Passkeys attempt to remove that weak link entirely. ...Why? Because even with 2FA, passwords can still be phished. Attackers can create fake login pages that trick users into entering their password and approving a malicious login. With passkeys, there is no password to steal, and the authentication is bound to the legitimate domain, making phishing attacks ineffective.

The core idea

No shared secret. Passwords are shared secrets between you and the server - Passkeys are not. The server only stores the public key. If the server gets hacked, attackers cannot log in as you because the private key never existed on their systems - Private key resides on your device.

What Differentiates Passkeys from Your Regular Authenticator?

Many people confuse Passkeys with Authenticator apps like:

• Microsoft Authenticator
• Google Authenticator
• Authy
• 1Password

But they are fundamentally different technologies.

Feature	Password + Authenticator	Passkey
Password required	Yes	No
Phishing resistant	No	Yes
Code entry	Yes (6 digit)	No
Shared secret stored on server	Yes	No
Uses cryptographic key pair	No	Yes

Authenticator apps generate TOTP codes - short Time-based One-Time Password. These codes are still a shared secret that can be phished or stolen. Especially easy with SMS-based 2FA, which is even less secure. Passkeys instead use public key cryptography. No codes. No passwords. No phishing.

Does Passkey Actually Add Security?

Yes - significantly. Passkeys solve several major security problems at once.

1 - Phishing becomes almost impossible

Passkeys are tied to the domain name of the website. If you visit a fake login page like:micros0ft-login.com Your passkey simply will not work. The cryptographic signature is bound to the original domain.

2 - Database leaks become much less dangerous

When a site gets hacked today, attackers often steal:

• Password hashes
• Email addresses
• Account data

With passkeys, the server only stores the public key. A public key is useless for logging in. Even if attackers steal it, they cannot impersonate you.

3 - No password reuse

Every passkey is unique per website. Even if one service fails, it does not affect any other service.

Why Is "Sign in With Face, Fingerprint or PIN" Considered Secure?

At first glance, passkeys sound less secure than traditional login methods. You may think: "How can using a 4-digit PIN possibly be safer than my 24 character password and authenticator app?" The answer lies in what the PIN actually does.

The PIN Does Not Authenticate You to the Website

When you use a passkey, the PIN, fingerprint, or face scan is not sent to the website. It never leaves your device - Instead, it only unlocks the private cryptographic key stored securely on your device. The flow looks roughly like this:

1. You choose "Sign in with passkey"
2. The website sends a cryptographic challenge
3. Your device asks for Face ID / fingerprint / PIN
4. This unlocks the private key stored on the device
5. The private key signs the challenge
6. The website verifies the signature using the public key

The PIN is therefore not your login credential. It is simply a local unlock mechanism for the private key stored on your device.

Why a Short PIN Is Still Safe

A device PIN would be unsafe if it were used directly as authentication. But with passkeys, the PIN has several protections:

• It only works on the physical device
• Attempts are limited
• After too many failures, the key becomes locked
• The private key cannot be extracted

This means an attacker would typically need:

• Your physical device
• Your device PIN

Remote attackers cannot brute-force your PIN over the internet.

Biometrics Are Not the Secret

Another common misconception is that Face ID or fingerprints are the actual credentials. They are not. Biometrics simply replace typing the device PIN. They function as:

• A convenience feature
• A local unlock mechanism

If biometrics fail, your device falls back to the PIN.

I'm Still Required My Password, 2FA and PassKey - Why?

Many services currently require you to set up a password and 2FA even if you want to use passkeys. This is because passkeys are still relatively new and not all services have fully adopted them yet. In the future, as passkeys become more widespread, we can expect many services to allow passkey-only accounts without requiring a password or 2FA setup.

Why This Can Be Safer Than Password + Authenticator

Traditional logins still rely on a shared secret - your password. Even with an authenticator app:

• The password can be phished
• The login page can be faked
• Users can approve malicious prompts

Passkeys remove that shared secret entirely. Because passkeys are tied to a specific domain, they simply refuse to work on phishing sites, as per previous example.

Struggles Using Passkeys

In theory, passkeys are excellent - In practice, the ecosystem is still messy.

Endless login loops

A common issue:

• You choose "Sign in with passkey"
• The site redirects to your authenticator
• You approve the login
• You get redirected back to the login page

Repeat forever. This often happens when:

• Browser support conflicts
• Multiple authenticators exist
• Session cookies break during redirects

Cross-device authentication confusion

Sometimes you try logging in on one device but the passkey lives on another. Example:

• You log in on a Windows PC
• The passkey is on your phone
• You must scan a QR code

While technically impressive, it can feel unnecessarily complicated.

Recovery problems - If you lose your device

If you lose your device and the passkey was only stored there, account recovery can become difficult. Most services therefore still allow:

• Passwords
• Recovery emails
• Backup codes

Which somewhat reduces the theoretical security advantage. And frankly, people are bad at remembering their passwords as is. Will they be better at remembering where they stored their backup codes?

Where Your Passkeys Actually Live - And Why That Matters

One of the most confusing aspects of passkeys is where they are actually stored. When you create a passkey, it must live somewhere secure. Depending on your setup, that could be several different places.

Device-based passkeys

Many passkeys are stored directly on your device and protected by the operating system. Examples include:

• Windows Hello
• Apple iCloud Keychain
• Google Password Manager

In these setups, the private key is stored inside a secure hardware component on your device. Using TPM (Trusted Platform Module) chips or secure enclaves, these keys are protected against extraction and tampering. These passkeys often sync across your ecosystem - like:

• iPhone
• MacBook
• iPad

All share the same passkeys through iCloud.

Password manager passkeys

Modern password managers now support passkeys as well. Examples include:

• 1Password
• Bitwarden
• Dashlane

Advantages include:

• Cross-platform syncing
• Centralized management
• Easier backups

Hardware security keys

The most security-focused option is storing passkeys on a physical security key. This could be a YubiKey or similar device that supports FIDO2/WebAuthn standards. These are USB or NFC devices that store the private key directly on the hardware. Benefits:

• Extremely strong phishing protection
• Not tied to Apple, Google, or Microsoft ecosystems
• Portable between devices

The downside is obvious though - you must physically have the key.

Why Passkeys Are Considered the Future

Despite the current friction and occasional login loops, passkeys represent one of the biggest improvements in account security in decades. They remove the weakest element in authentication - the human-managed password. Instead of relying on something you remember, passkeys rely on:

• Cryptographic keys
• Secure hardware
• Domain-bound authentication

The result is a system where:

• Nothing secret is stored on the website
• Nothing secret travels across the network
• Phishing attacks largely stop working

The technology itself is extremely strong. The current challenge is not security - it is usability. As browsers, operating systems, and websites continue improving their implementations, passkeys are very likely to become the standard way we log in to services on the internet.