What are passkeys and how do they work?

If you don’t have a password manager, it’s challenging to create and remember hundreds of strong passwords. Many people give up and use the same password for everything, or a few predictable passwords, which makes it easier for cybercriminals to hijack their accounts.

Enter passkeys. You may have heard of them in the news, and with good reason. Many companies (including 1Password!) are excited by this technology as a simple, fast, and secure sign-in solution. Here, we’ll break down what passkeys are, how they work, and some of the benefits they offer over traditional passwords.

What are passkeys?

Passkeys allow you to create and sign in to online accounts without a password.

When you use a passkey, you don’t have to memorize or type anything out, or enter a two-factor authentication (2FA) code. And, if you land on a fake but convincing (phishing) website, your passkeys won’t work, stopping you from sharing any sensitive information by mistake.

Signing in with a passkey is dead simple. As a security measure, you’ll be asked to authenticate with biometrics (i.e. your face or fingerprint) or, as a fallback, your device’s passcode. Successfully authenticate and that’s it – you’re logged in!

By now, you’re probably thinking: “Okay, that sounds great. But how is this possible?” Let’s tackle that question next.

How passkeys work

Unlike traditional passwords, passkeys utilize public-key cryptography. That means every passkey has two parts: a public key and a private key. Together, they keep your accounts secure by allowing websites and apps to check that you are who you say you are.

But how?

Public and private cryptographic key pairs are mathematically linked to one another. You can think of them like interlocking puzzle pieces – they’re designed to go together, and you need both pieces to authenticate successfully.

As the name implies, the public key can be shared publicly. That means the website or app you want to sign in to can see and store your public key. The private key, meanwhile, is kept secret and safe. It’s never shared with the website or app you want to sign in to, or stored on their servers.

What happens when you create and use a passkey to log in to your favorite apps and websites

Let’s break down how passkeys work in practice.

Imagine you visit a website that supports passkeys. First, you follow the prompts to create an account with a passkey, rather than a traditional password.

Behind the scenes, the website’s server will share some information about the website. You’ll then be prompted to confirm where your private key will be stored. That could be a device like your phone, tablet, or PC, or a secure password manager like 1Password.

A new passkey – which includes your public and private key pair – will then be generated for that specific website. The public key will be sent to the website’s server for storage, while the private key is kept secure on your device or in your password manager.

This process happens behind the scenes, and near instantaneously.

The next time you visit the website, you won’t have to enter a traditional password. Instead, you’ll be asked to authenticate using biometrics. That could be Face ID, Touch ID, Windows Hello, your device passcode, or a similar method.

Once you’ve authenticated, that’s it! The website or app will grant access to your account.

The benefits of passkeys

Here are just a few reasons why passkeys are a simple and secure login solution:

• Every passkey is strong by default. You don’t have to create anything manually, or worry about whether your private key is long or random enough. When you choose to use a passkey, the public and private key pair is generated for you, securely, within seconds.
• You don’t have to remember or type out your passkeys. You only need to authenticate with biometrics (or your device passcode) to sign in to your account. There’s nothing to memorize and nothing else to type.
• Your private key is never shared with the website you want to sign in to. That means you don’t have to worry about how the website is storing your credentials. Your private key is always kept private, and the public key is useless on its own.
• Your public key can’t be used to figure out your private key. If a criminal breaches a website’s servers, the best they can hope to find is your public key, which can’t be used to sign in to your account and can’t be reverse-engineered to reveal your private key.
• Passkeys are a strong defense against social engineering and phishing attacks. Criminals will often create fake but seemingly authentic websites to trick you into sharing your login details. WebAuthn protects you by ensuring that you never share your credentials with untrusted websites.
• Passkeys offer an improved user experience. Signing in with a passkey is more convenient, faster, and smoother than when using traditional passwords. That means you spend less time logging in and more time getting on with why you visited the website in the first place.

Start using passkeys in 1Password

Here at 1Password, we’re excited about passkeys. That’s why we joined the FIDO Alliance, which includes other passkey supporters like Apple, Google, and Microsoft. Together, we have the opportunity to build safe, simple, and fast login solutions for everyone.

There are two ways you can use passkeys with 1Password:

• Save and sign in with passkeys using 1Password. Create and use passkeys to sign in to websites and apps like Amazon, eBay, and TikTok. Store your passkeys securely in 1Password, organize them with vaults and tags, and share them with co-workers, family members – anyone who needs access.
• Unlock 1Password with a passkey. Streamline your digital life by unlocking your password manager with a passkey instead of an account password.

The bottom line

Passkeys are a promising step forward for passwordless authentication. They’re secure, easy to create, and let you sign in to accounts in a flash.

If you want to learn more about passkeys, check out:

• The passkeys section of our website
• This special episode of the Random but Memorable podcast, which explores all things passwordless
• Our community-driven passkey directory
• Passkeys vs. passwords: What are the differences?

Nick Summers

Content Marketing Manager