What are Passkeys?
Passkeys offer a passwordless and convenient way to log in to online accounts and services. They are easy to use and more secure than passwords. A single passkey can also be used across multiple user devices.
Passkeys authenticate using a private key stored on the user's device (e.g., a phone or laptop with TouchID or FaceID). That means they cannot be stolen or spoofed like a password.Learn more about Passkeys
How Passkeys Work
Passkeys are credentials that consist of two parts: a public key and a private key. A website can prompt users to create a passkey when they sign in for the first time. The website will register the public part of the passkey whereas the private part is securely stored on the users’ devices. Now users can use that passkey for future logins on that website. If users want to stop using that specific site's passkey, they can easily reset it.
Create A Passkey
As part of the signup, the app invokes the operating system, like iOS or Android, to generate a passkey for the user.
The operating system prompts the user to unlock the secure storage, like iCloud keychain to persist the passkey.
The passkey is securely stored on the device and associated with the app.
Sign In With a Passkey
To start the passwordless login, the user provides their user id, like the username or e-mail.
The app invokes the passkey authentication on the device, like Apple or Android passkey.
The operating system prompts the user to unlock the secure storage so that it can run the passkey login.
The user is logged in.
Passkeys vs. Passwords
Unlike other authentication methods that use passwords or one-time codes, passkeys are more resistant to cybersecurity threats like phishing and data breaches because they are unique per website and safely stored by the operating system. They also avoid the risk of passwords being stolen from a website's servers and sold or compromised in another way, since the passkey authenticator and the website communicate without sharing any secrets.
When can Passkeys Be Used?
Passkeys should replace passwords. Major operating systems for mobile and desktop devices as well as major browsers support login using passkeys. If you need to log in users, offer passkeys as a secure authentication method. Passkeys work for both mobile and desktop applications as well as for websites.
Passkeys Authenticator in the Curity Identity Server
As of version 8.6 of the Curity Identity Server, a new, dedicated Passkeys authenticator is available. The Passkeys authenticator makes it easier to work with Passkeys like Google and Apple passkeys in applications. No code changes are needed. Create a Passkeys authenticator and configure the client to use that authentication methodLearn more about the Passkeys Authenticator