For decades, passwords have been the primary mechanism for authenticating users on the web. Despite incremental improvements like complexity rules and periodic rotation, passwords remain:
- Hard to remember and frustrating to type
- Frequently reused across sites
- Highly vulnerable to phishing attacks
Phishing attacks in particular have become increasingly sophisticated and common, making passwords—and even passwords combined with OTPs—a weak foundation for modern security.
This has led to a shift toward passwordless authentication, with passkeys emerging as the most promising and widely supported approach.
Why Passkeys?
Passkeys are designed to be both simpler for users and significantly safer for applications.
Faster and Easier
Passkeys remove the need to remember or type secrets:
- Users authenticate using biometrics (fingerprint, face recognition)
- Or a device PIN they already know
- No password creation, storage, or resets
The result is a smoother, one‑step sign‑in experience.
More Secure by Design
Passkeys improve security fundamentally, not incrementally:
- No shared secrets are sent over the network
- Credentials are phishing‑resistant and origin‑bound
- Server breaches expose only public keys, not usable credentials
- Passkeys can be securely synced across a user’s devices via trusted platforms
How Passkeys Work
At a high level, passkeys are based on public‑key cryptography and modern browser and OS support.
Passkey Registration
-
A web application or mobile app prompts the user to set up a passkey (either during sign‑up or after login).
-
The user accepts the request.
-
The browser or OS creates an asymmetric key pair.
-
The public key is shared with the server (or identity provider).
-
The private key is stored securely on the user’s device, protected by:
- Biometrics, or
- A device PIN
The private key never leaves the device.
Authentication with a Passkey
When the user signs in:
- The server sends a cryptographic challenge.
- The device asks the user to verify themselves (biometric or PIN).
- The device signs the challenge using the private key.
- The server verifies the signature using the stored public key.
If verification succeeds, the user is authenticated—without any password being transmitted or stored.
Authentication Factors Explained
Authentication systems traditionally rely on one or more factors:
-
Something you know Examples: passwords, PINs
-
Something you have Examples: phones, security keys, smart cards
-
Something you are Examples: fingerprints, facial recognition
Modern systems may also consider:
- Somewhere you are (location, network)
- Something you do (behavioral patterns)
Where Passkeys Fit
Passkeys primarily prove:
Something you have — the private cryptographic key
That key is unlocked locally using:
- Something you are (biometric), or
- Something you know (device PIN)
Importantly, biometrics and PINs are never sent to the server—they only unlock access to the private key on the device.
FIDO and WebAuthn
Passkeys are built on open standards:
- WebAuthn — a browser API for passwordless authentication
- FIDO2 — standards for secure, phishing‑resistant authentication
These standards are supported natively by modern browsers and operating systems, ensuring:
- Interoperability across platforms
- Strong hardware‑backed security
- Vendor‑neutral adoption
Conclusion
Passwords were never designed for today’s scale or threat landscape. Phishing, credential reuse, and data breaches have made them a persistent liability.
Passkeys represent a fundamental shift:
- From shared secrets to cryptographic proof
- From user memory to device trust
- From reactive security to built‑in phishing resistance
By adopting passkeys, applications can deliver better security and a better user experience at the same time—a rare and powerful combination.
Passwordless authentication is no longer a future concept. With passkeys, it is ready today.
Building a SaaS product and thinking about passwordless authentication?
Talk to us about Express Identity →