Passkeys: what they are, and how they work

If you don’t have a password manager, it can be challenging to create and remember hundreds of strong passwords. Many people give up and use the same password, or a few predictable passwords, which makes it easier for cybercriminals to hijack their accounts.

Enter passkeys. You may have heard of them in the news, and with good reason. Many companies (including 1Password!) are excited by this technology’s potential to be a simple, fast, and secure sign in solution for everyone. Here, we’ll break down what passkeys are, how they work, and some of the benefits they offer over traditional passwords.

What are passkeys?

Passkeys allow you to create online accounts and sign in to them without entering a password.

When passkeys are implemented correctly, you don’t have to type anything out. You don’t have to enter a two-factor authentication code. And you don’t have to worry about whether someone is trying to trick you with a scam website.

When passkeys are implemented correctly, you don’t have to type anything out.

Instead, you simply need your chosen authenticator – which, in the context of passkeys, could be your phone, tablet, or PC. Your device will ask you to authenticate using your face or fingerprint as a security measure, but that’s it.

By now, you’re probably thinking: “Okay, that sounds great. But how is this possible?” Let’s tackle that question next.

How passkeys work

Passkeys leverage an API called WebAuthn, or Web Authentication. The API was jointly developed by the FIDO Alliance, an open industry association that wants to reduce the world’s reliance on passwords, and the World Wide Web Consortium (W3C), a community that works together to develop new standards and guidelines for the web.

Instead of a traditional password, WebAuthn uses public and private keys – otherwise known as public-key cryptography – to check that you are who you say you are. Public and private keys are mathematically linked to one another. You can think of them like interlocking puzzle pieces; they’re designed to go together, and you need both pieces to authenticate successfully.

As the name implies, the public key can be shared publicly. That means the website or app you want to sign in to can see and store your public key. The private key, meanwhile, is kept secret and safe. It’s used to decrypt data that’s been encrypted with your public key.

Unlike a traditional password, the private key is never shared with the site you want to sign in to, or stored on their servers.

How passkeys differ from what’s come before

WebAuthn isn’t a new idea. The project was started in 2016, and the WebAuthn Level 1 standard was published as a W3C recommendation three years later. Today, the API is supported by many browsers, including Chrome, Safari, and Edge.

But the standard is yet to go fully mainstream. Few websites offer a passwordless login experience right now, so most people still use a traditional username and password for all of their online accounts.

Passkeys make it easier for everyone to use passwordless authentication across all of their devices.

Passkeys make it easier for everyone to use passwordless authentication across all of their devices. Perhaps more importantly, they’re backed by influential technology companies including Apple, Google, Microsoft, and … us! By championing passkeys together, this group can raise awareness and, by extension, overall adoption around the world.

What happens when you create and use a passkey

Let’s break down how passkeys work in practice.

Imagine that you visit a website that supports passkeys. First, you create an account and choose the option to secure it with a passkey, rather than a traditional password.

The website’s server shares some information about the website, and asks you to confirm your authenticator. This could be your phone, tablet, PC … or, in the not so distant future, a password manager like 1Password. More on that later.

A passkey – which includes your public and private key pair – is then generated for that specific website. This happens locally, on your device. The public key is sent to the website’s server for storage, while the private key remains securely stored in your authenticator.

The next time you sign in, the website will create a “challenge,” which is a bit like a puzzle. Your authenticator will “sign” the challenge using your private key, then send the completed “signature” to the website. Finally, the website uses their copy of your public key to verify the signature’s authenticity.

And that’s it! You’ve signed in using your unique passkey.

The benefits of passkeys

Here are just a few reasons why passkeys are a simple and secure login solution:

• Every passkey is strong by default. You don’t have to create anything manually, or worry about whether your private key is long or random enough. You simply create an account and allow your authenticator to generate a secure public and private key pair on your behalf.

• You don’t have to remember or type out your passkeys. Your private key is stored on your device, and retrieved automatically when you want to sign in to your account. A copy of your public key is stored with the account provider so you never have to type it out or even autofill it.

• Your private key is never shared with the website you want to sign in to. That means you don’t have to worry about how the website is storing your credentials, because the public key on its own can’t be used to gain access to your account even if it were to be stolen.

• Your public key can’t be used to figure out your private key. If a criminal breaches a website’s servers, the best they can hope to find is your public key, which can’t be used to sign in to your account and can’t be reverse-engineered to reveal your private key.

• Passkeys are a strong defense against phishing and social engineering attacks. Criminals will often create fake but seemingly authentic websites to try to trick you into sharing your login details. WebAuthn protects you by ensuring that you never share your credentials with untrusted websites.

1Password and passkeys

Here at 1Password, we’re excited by the potential of passkeys. That’s why we joined the FIDO Alliance, which includes other passkey supporters like Apple, Google, and Microsoft. Together, we have the opportunity to build safe, simple, and fast login solutions for everyone.

We’re already working to integrate passkeys into our password manager, so you can continue to manage and protect everything that’s important in your digital life. That includes passkeys, passwords, credit and debit cards, addresses, medical records, software license keys, documents, secure notes, and more.

The bottom line

Passkeys are a promising step forward for passwordless authentication. They make it simple to use your existing devices to sign in, rather than a hardware security key. (We love hardware security keys, but appreciate that many people don’t want to buy or carry around a separate device.)

If you want to learn more about our thoughts on passkeys, WebAuthn, and everything else related to passwordless authentication, check out:

• This special episode of the Random but Memorable podcast, which explores all things passwordless
• Our future of 1Password microsite
• Our announcement that we’ve joined the FIDO Alliance

Nick Summers

Content Marketing Manager