Passkey.

A passkey is a public-key credential, created and stored by an authenticator (smartphone, security key, or platform keychain) and registered with a relying party. It builds on two standards: the W3C WebAuthn API (Level 1 became a Recommendation on 4 March 2019, Level 2 on 8 April 2021, with Level 3 in draft) and the FIDO Alliance's CTAP2 client-to-authenticator protocol — together marketed as FIDO2. To sign in, the user unlocks the authenticator with biometrics or a PIN; the device signs a server-issued, single-use challenge with the private key, and the server verifies the signature against the registered public key.

Because the private key never leaves the secure element and the assertion is cryptographically bound to the relying-party origin (the rpId), passkeys defeat password reuse, credential phishing, replay, and most adversary-in-the-middle proxy kits such as Evilginx — the signed origin will not match the attacker's domain. Apple introduced consumer passkeys at WWDC 2022; Google made them the default sign-in option in 2023 and Microsoft followed for consumer accounts in 2024. Synced passkeys (iCloud Keychain, Google Password Manager, 1Password) recover across a user's devices, while device-bound passkeys on hardware keys like YubiKeys offer the highest assurance for workforce use. Residual risks centre on account-recovery fallbacks and the trust placed in cloud sync providers.

flowchart TD
  subgraph Registration
    A[User] -->|unlock biometric/PIN| B[Authenticator generates key pair]
    B -->|public key + credential ID| C[Relying Party stores public key]
  end
  subgraph Authentication
    D[Server sends random challenge] --> E[Authenticator signs challenge<br/>with private key, bound to rpId]
    E -->|signed assertion| F{Signature valid<br/>and origin matches?}
    F -->|Yes| G[Access granted]
    F -->|No| H[Rejected - phishing/replay blocked]
  end