Users can select an account to sign in with. Typing the username is not required.
Users can authenticate using device's screen lock such as a fingerprint sensor, facial recognition or PIN.
Once a passkey is created and registered, the user can seamlessly switch to a new device and immediately use it without needing to re-enroll (unlike traditional biometric auth, which requires setup on each device).
Passkeys protect users from phishing attacks. Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification.
Developers only save a public key to the server instead of a password, meaning there's far less value for a bad actor to hack into servers, and far less cleanup to do in the event of a breach.
Passkeys reduce costs by avoiding the need to send SMS, making them a safer and more cost-effective means for authentication.
What are passkeys?
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.
To create a passkey for a website or application, a user first must register a passkey with that website or application.
- Go to the application and sign in using the existing sign-in method.
- Click Create a passkey button.
- Check the information stored with the new passkey.
- Use the device screen unlock to create the passkey.
When they return to this website or app to sign in, they can take the following steps:
- Go to the application.
- Tap on the account name field to show a list of passkeys in an autofill dialog.
- Select their passkey.
- Use the device screen unlock to complete the login.
You can try passkeys in this demo
Because signing in with biometric might give users a false impression that this is sending sensitive information to the server. In reality, biometric material never leaves the user's personal device.
Passkeys on their own don't allow tracking users or devices between sites. The same passkey is never used with more than one site. Passkey protocols are carefully designed so that no information shared with sites can be used as a tracking vector.
Passkeys use public key cryptography.
Public key cryptography reduces the threat from potential data breaches. When a user creates a passkey with a site or application, this generates a public–private key pair on the user's device. Only the public key is stored by the site, but this alone is useless to an attacker. An attacker can't derive the user's private key from the data stored on the server, which is required to complete authentication.
Resistant to phishing attacks
Because passkeys are bound to a website or app's identity, they're resistant to phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing in to the genuine website or app.
Server side
Implementation guide for servers.
Android
Implementation guide for Android.
Web
Implementation guide for Web.
iOS
Implementation guide for iOS.