Passkeys (FIDO2/WebAuthn)
A passwordless authentication standard using public-key cryptography, where the private key never leaves the user's device and authentication is verified via biometrics or device PIN.
Passkeys are the consumer-friendly name for FIDO2/WebAuthn credentials. Instead of passwords, authentication uses a cryptographic key pair: the private key stays on the user's device (protected by biometrics or PIN), and the public key is stored on the server. During login, the server sends a challenge, the device signs it with the private key (after biometric verification), and the server verifies the signature with the stored public key. Passkeys are phishing-resistant because they're bound to the origin (domain) -- a fake site can't trigger a passkey for the real site. Apple, Google, and Microsoft sync passkeys across devices via their cloud platforms, solving the device-loss problem.
Security Model
Passkeys use asymmetric cryptography with private keys stored in hardware-backed secure enclaves. Security properties: phishing-resistant (origin-bound), no shared secrets (nothing for servers to leak), replay-resistant (challenge-response), cloning detection (sign counter). The security model's weakest point is account recovery -- if recovery bypasses passkeys, it becomes the attack surface. Synced passkeys add cloud account compromise as a risk vector.
Implementation
medium complexityUser Experience
Passkeys provide an excellent authentication experience. Registration takes 5-10 seconds (biometric prompt). Authentication is a single biometric scan -- faster than typing a password. Conditional UI shows passkeys in the browser's autofill dropdown, making discovery natural. The main UX challenges are: educating users about what passkeys are, managing passkeys across devices, and handling the transition period where both passwords and passkeys coexist.
Platform Examples
Apple
iCloud Keychain syncs passkeys across Apple devices with end-to-end encryption. Seamless integration with Face ID and Touch ID. Supports passkey sharing via AirDrop.
Google Password Manager syncs passkeys on Android and Chrome. Google Accounts support passkey sign-in as a primary factor. Uses device screen lock for verification.
GitHub
Supports passkeys for account authentication and sudo mode. Allows multiple passkeys per account. One of the earliest developer platforms to adopt passkeys.
PayPal
Launched passkey support for consumer accounts. Uses passkeys as a primary authentication factor with fallback to password + MFA.
Tradeoffs
Strengths
- Phishing-resistant by design -- credentials are origin-bound
- No shared secrets -- server breach doesn't expose credentials
- Replay-resistant via challenge-response protocol
- Biometric verification provides strong user binding
- Eliminates credential stuffing, brute force, and password spray attacks
- Synced passkeys solve the device-loss problem
Weaknesses
- Ecosystem lock-in for synced passkeys (Apple, Google, Microsoft)
- Account recovery becomes the hardest security problem
- Limited cross-platform portability (improving with password manager support)
- Not yet universally supported by all platforms and browsers
- Enterprise adoption requires hardware security key procurement and management
- User education needed -- many users don't understand the concept yet
Likely Follow-Up Questions
- How would you design an account recovery system for a passkey-only authentication platform?
- What are the trade-offs between synced passkeys and device-bound passkeys?
- How do passkeys prevent phishing attacks at a technical level?
- How would you handle the migration from password-based auth to passkeys for an app with millions of users?
- What role do passkeys play in a zero-trust security architecture?
- How do attestation policies work and when would you use them?
Related Auth Methods
Source: editorial — Passkeys deep dive covering FIDO2/WebAuthn architecture, cryptographic foundations, migration strategies, and enterprise deployment for interview preparation.