passkey - dwilson2547/wiki_demo GitHub Wiki
Passkeys are a modern, passwordless authentication technology designed to replace traditional passwords and multi-factor authentication (MFA) methods like SMS codes or authenticator apps. They leverage public-key cryptography and biometric authentication (e.g., fingerprint or facial recognition) to provide a more secure, convenient, and phishing-resistant way to log in to apps and websites.
Here’s a detailed explanation of passkeys:
- 1. What Are Passkeys?
- 2. How Passkeys Work
- 3. Key Features of Passkeys
- 4. Technical Underpinnings
- 5. Advantages of Passkeys
- 6. How Passkeys Differ from Traditional Authentication
- 7. Use Cases for Passkeys
- 8. How to Implement Passkeys
- 9. Security Considerations
- 10. Industry Adoption
- 11. Example: Using a Passkey
- 12. Challenges and Limitations
- 13. Future of Passkeys
- 14. Summary Table: Passkeys
- Passkeys are digital credentials tied to a user account and a specific device (e.g., smartphone, laptop).
- They use public-key cryptography to authenticate users without requiring passwords.
- Passkeys are phishing-resistant because they rely on cryptographic proofs rather than shared secrets.
- Public-Key Cryptography: Each passkey consists of a public key (stored by the website or app) and a private key (stored securely on the user’s device).
- Biometric or PIN Authentication: The private key is unlocked using the device’s built-in authentication (e.g., fingerprint, Face ID, or PIN).
- No Shared Secrets: Unlike passwords, the private key never leaves the device, making it immune to phishing and server breaches.
- User Initiates Registration: The user signs up for a service (e.g., a website or app) and chooses to create a passkey.
- Device Generates Key Pair: The user’s device generates a public-private key pair.
- Public Key Sent to Server: The public key is sent to the service’s server and associated with the user’s account.
- Private Key Stored Securely: The private key is stored securely on the device (e.g., in the Secure Enclave on iPhones or Trusted Platform Module (TPM) on PCs).
- User Initiates Login: The user attempts to log in to the service.
- Server Sends Challenge: The server sends a cryptographic challenge to the user’s device.
- Device Signs Challenge: The device uses the private key to sign the challenge, proving ownership of the public key.
- User Authenticates Locally: The user unlocks the private key using biometrics or a PIN.
- Device Sends Signed Response: The signed challenge is sent back to the server.
- Server Verifies Signature: The server verifies the signature using the stored public key. If valid, the user is authenticated.
| Feature | Description |
|---|---|
| Passwordless | Eliminates the need for passwords, reducing the risk of phishing and credential theft. |
| Phishing-Resistant | Private keys never leave the device, making passkeys immune to phishing attacks. |
| Cross-Platform | Passkeys sync across devices (e.g., iPhone, iPad, Mac) via iCloud Keychain or Google Password Manager. |
| Biometric Authentication | Uses device-native biometrics (e.g., Face ID, Touch ID, or PIN) for user verification. |
| FIDO2 Standard | Built on the FIDO2 and WebAuthn standards, ensuring broad compatibility. |
| No Shared Secrets | Private keys are never transmitted or stored on servers, reducing the risk of breaches. |
- Passkeys are built on the FIDO2 standard, which includes:
- WebAuthn: A web API that allows browsers to interact with authenticators (e.g., devices) for passwordless authentication.
- CTAP (Client to Authenticator Protocol): Enables communication between devices (e.g., phones) and computers for authentication.
- Passkeys use asymmetric cryptography:
- Public Key: Shared with the service and used to verify signatures.
- Private Key: Stored securely on the device and used to sign challenges.
- Private keys are stored in hardware-secured modules (e.g., Secure Enclave on iPhones, TPM on PCs).
- Access to private keys requires local authentication (e.g., biometrics or PIN).
| Advantage | Description |
|---|---|
| Security | Resistant to phishing, credential stuffing, and server breaches. |
| Convenience | No need to remember or type passwords; authentication is fast and seamless. |
| User Experience | Uses familiar device authentication methods (e.g., Face ID, Touch ID). |
| Cross-Device Sync | Passkeys sync across devices via cloud services (e.g., iCloud, Google Password Manager). |
| Industry Support | Backed by major tech companies (e.g., Apple, Google, Microsoft, and the FIDO Alliance). |
| Feature | Passkeys | Traditional Authentication (Passwords, OTPs) |
|---|---|---|
| Authentication Method | Biometrics or PIN. | Passwords, SMS codes, or authenticator apps. |
| Phishing Resistance | Yes (private keys never leave the device). | No (passwords and OTPs can be phished). |
| User Experience | Seamless and fast. | Requires typing passwords or entering codes. |
| Server-Side Storage | Only the public key is stored. | Passwords or OTP secrets are stored, creating a risk of breaches. |
| Cross-Platform Support | Yes (via FIDO2 and WebAuthn). | Limited (e.g., SMS OTPs require phone connectivity). |
- Websites and Apps: Passkeys can replace passwords for logging into websites and apps (e.g., social media, banking).
- E-Commerce: Secure and convenient checkout experiences.
- Gaming: Passwordless login for gaming platforms.
- Employee Authentication: Secure access to corporate resources (e.g., VPNs, internal tools).
- Single Sign-On (SSO): Integration with SSO providers for seamless authentication.
- Smart Home Devices: Secure authentication for smart home apps.
- Wearables: Passwordless login for wearables (e.g., smartwatches).
-
Adopt WebAuthn: Use the WebAuthn API to enable passkey support in web apps.
- Example JavaScript code for registration:
const publicKeyCredentialCreationOptions = { challenge: new Uint8Array([...]), // Server-generated challenge rp: { name: "Example App", id: "example.com" }, user: { id: new Uint8Array([...]), name: "[email protected]", displayName: "User" }, pubKeyCredParams: [{ type: "public-key", alg: -7 }], // ES256 algorithm }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions });
- Example JavaScript code for authentication:
const publicKeyCredentialRequestOptions = { challenge: new Uint8Array([...]), // Server-generated challenge rpId: "example.com", }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions });
- Example JavaScript code for registration:
-
Server-Side Integration: Store public keys and verify signatures on the server.
- Use libraries like WebAuthn4J (Java) or PyWebAuthn (Python) for server-side validation.
-
Support Cross-Platform: Ensure compatibility with FIDO2 and CTAP for cross-device authentication.
- Create a Passkey: When prompted by a website or app, follow the device’s instructions to create a passkey (e.g., use Face ID or Touch ID).
- Use a Passkey: Authenticate using biometrics or PIN when logging in.
- Private keys are stored in hardware-secured modules (e.g., Secure Enclave, TPM), making them resistant to extraction.
- Access to private keys requires local authentication (e.g., biometrics or PIN).
- Passkeys are phishing-resistant because the private key never leaves the device, and authentication is tied to the relying party (RP) ID (e.g.,
example.com).
- Passkeys can be synced across devices via cloud services (e.g., iCloud Keychain, Google Password Manager).
- Users can recover passkeys by signing in to their cloud account on a new device.
- Passkeys support cross-device authentication (e.g., using a phone to authenticate on a laptop via Bluetooth or QR codes).
- Apple: Introduced passkey support in iOS 16, macOS Ventura, and iPadOS 16.
- Google: Added passkey support in Android 9+ and Chrome.
- Microsoft: Supports passkeys in Windows 10/11 and Edge.
- FIDO Alliance: Promotes passkeys as part of the FIDO2 standard.
- A user visits
example.comand selects "Create a Passkey". - The website sends a challenge to the user’s device.
- The device prompts the user to authenticate (e.g., using Face ID).
- The device generates a key pair, sends the public key to the website, and stores the private key securely.
- The user returns to
example.comand selects "Log In with Passkey". - The website sends a challenge to the user’s device.
- The device prompts the user to authenticate (e.g., using Face ID).
- The device signs the challenge with the private key and sends the signed response to the website.
- The website verifies the signature using the public key and logs the user in.
| Challenge | Description |
|---|---|
| Legacy Systems | Older devices or browsers may not support passkeys. |
| User Education | Users may be unfamiliar with passkeys and require guidance. |
| Cross-Platform Sync | Syncing passkeys across ecosystems (e.g., Apple to Android) can be challenging. |
| Backup Dependencies | Passkeys rely on cloud services (e.g., iCloud, Google) for backup and recovery. |
- Wider Adoption: More websites and apps are expected to adopt passkeys as the default authentication method.
- Standardization: Continued development of FIDO2 and WebAuthn standards.
- Interoperability: Improved cross-platform and cross-ecosystem support.
| Aspect | Description |
|---|---|
| Purpose | Replace passwords with a secure, passwordless authentication method. |
| Technology | Public-key cryptography, FIDO2, WebAuthn. |
| Authentication Method | Biometrics (e.g., Face ID, Touch ID) or PIN. |
| Security | Phishing-resistant, no shared secrets, hardware-secured private keys. |
| User Experience | Seamless and fast; no need to remember passwords. |
| Cross-Platform | Syncs across devices via cloud services (e.g., iCloud, Google Password Manager). |
| Industry Support | Backed by Apple, Google, Microsoft, and the FIDO Alliance. |
Passkeys represent a major leap forward in authentication security and usability. By eliminating passwords and leveraging public-key cryptography and biometric authentication, they provide a secure, convenient, and phishing-resistant way to log in to apps and websites.
Would you like to explore how to implement passkeys in a web app, how passkeys compare to hardware security keys, or how to migrate from passwords to passkeys?