A Look at Passkeys

Anna Pobletts
September 6, 2022

Passkeys are coming - and Passage is here to help. As part of the FIDO alliance, Passage is committed to furthering this technology, making is more accessible to developers so that we can get to a passwordless future more quickly.

What are Passkeys?

The term “passkey” refers to a multi-device FIDO credential. To make sense of that, let’s talk about FIDO credentials first. A FIDO credential is a private key-based credential that is tied to a specific device and designed to be resistant to phishing attacks. Credentials tied to a specific device like a phone or a laptop have been known as “platform authenticators”. You typically interact with these through your Face ID, Touch ID, Windows Hello, or device PIN.

Passkeys are an extension of platform authenticators that make this secure authentication technology more user-friendly by syncing them between devices and enabling easy logins from many different devices.

In practical terms, passkeys refer to public key credentials synced via your iCloud, Microsoft, or Google account and protected by your Face ID, Touch ID, Windows Hello, or device PIN. When you want to register for a website, your device generates a key that is specific to that website and stores is securely in your device account.

Passkeys have several great advantages over passwords. Since they are based on public key cryptography, all of the sensitive information is stored on your device, not with the website you are logging into. It is more secure and keeps you in control of your information. That means you can edit, revoke, and share your credentials and websites never have access to your biometric data.

They are also very user-friendly. As a user, you never need to remember a password or think up a new password that meets some complex requirements. Just a quick glance or touch and you are logged in - without compromising the security of your account.

Passkeys are currently supported in iOS 16 and macOS Ventura (which are currently in beta), and Apple has put out a lot of documentation to guide developers through implementation. While Apple is currently farthest along in passkey support, Microsoft and Google have also announced plans to support passkeys in the coming months.

Implementing Passkeys in Your Website

To implement passkeys in your website without the help of a 3rd party like Passage, you will need to make some changes to your frontend and backend.

On the frontend, passkeys look very similar to platform authenticators and the implementation of WebAuthn is largely the same. The biggest challenge is that every platform is a bit different in implementation details and maturity, so your application must handle all these nuances and effectively communicate with your users.

Beyond your frontend changes, you will also need to implement WebAuthn support on your server backend. WebAuthn is a protocol that uses a two-step cryptographic process to verify passkeys, so you will need to add the necessary WebAuthn endpoints (i.e. become a WebAuthn “relying party”), store a set of cryptographic public keys for each user, and make sure to support a strong fallback authentication method for users without passkey-enabled devices.

DIY passkey support isn’t a trivial task, but if you’d like to explore adding passkeys to your application, Passage can make it simple. Passage supports passkeys by default and acts as the relying party for all WebAuthn interactions. Passage also has frontend web components that provide all of the login flows and logic needed to communicate with your users and seamlessly log them in using the most secure method available to them. Just two lines of code and you get all the advantages of passkeys, while still ensuring that users without passkeys can always login.

Check out our resources to learn more:

Conclusion

We’ve always believed that passwordless that is built on device-native authentication is the future. We are excited that the platforms are getting involved to support passkeys and make this type of login experience more accessible to their users. While there are still challenges with passkeys, Passage is committed to making this technology easy for developers to implement. We stay up-to-date on platform and protocol improvements so that you get the latest and greatest of passkey authentication out-of-the-box.