How does passkey work: Understanding what passkeys are
Passkeys are an emerging feature that ensures better cyber security; it works like a keyhole where only you have the key that fits. Passkeys are the proxy for passwords, and as passkeys replace passwords, they should also be more stable, secure and easier for users to remember and use. By learning about these concepts, you’re one way closer to an effective awareness training, which you can learn more about on our awareness training page.
What are passkeys?
Passkeys allow you to access online portals without using passwords. You avoid having to remember passwords and go through two-factor authentication, which some users may find inconvenient and time-consuming. Instead of multi-factor authentication, you simply choose your desired form of confirmation that you want to use when logging on to a particular site. Password managers can help manage passkeys, providing a secure and effortless authentication method. But if you are interested in learning about multi-factor authentication you can find everything in our guide on multi-factor authentication.
Types of passkeys
Passkeys can be categorized into two main types: device-bound passkeys and multi-device passkeys. Each type offers unique benefits tailored to different user needs.
-
Device-bound passkeys: These passkeys are tied to a specific device, such as a smartphone or laptop. They provide an additional layer of security because they cannot be easily transferred to another device. This means that even if someone gains access to your online accounts, they would still need your specific device to log in. Device-bound passkeys are particularly useful for those who prioritize security over convenience, ensuring that their private key remains securely on their user’s device.
-
Multi-device passkeys: Unlike device-bound passkeys, multi-device passkeys are synced across multiple devices. This allows users to access their accounts from any device that has the passkey stored. For instance, if you use a Google password manager, your passkeys can be accessed from your Android device, laptop, or tablet. This type of passkey is more convenient for users who frequently switch between devices, providing seamless access without compromising security.
How do passkeys work with public key cryptography?
When you log on or sign up to a website, the website will ask you which device you want to use for authentication; this could be a smartphone, computer or tablet. When you register a device, two cryptographic keys are generated; one is private and uniquely made for you, where the other is a public key belonging to the website or application you want to sign in to.
Each time you try to connect to these websites or applications, a “riddle” is sent to your device - a “question” to which only the user knows the answer with the unique key pair. Once the question has been solved with the key, your device will ask for permission and confirmation that it is you who wants to use the key - this is done just like when you unlock your devices; whether it is a fingerprint, facial recognition, a PIN code or something else that needs to be entered.
Biometric authentication methods, such as fingerprints and facial recognition, contribute to the unhackable nature of passkeys, allowing them to resist phishing attempts and breaches while facilitating easier access across devices.
Public key cryptography underpins the authentication process, wherein a key pair is generated—one public key is shared with the service, while the private key is securely stored on the user's device, ensuring that sensitive information is not transmitted over the network.
Once the key has been used and verified, it goes into a keychain that contains all the different keys you have for various websites and applications. A new feature means that this keychain is stored in an online storage; e.g., Google Drive, Apple’s iCloud, or Microsoft’s OneDrive - depending on the software on your device.
This makes your passkeys available to all the devices you have connected to that operating system; for example, if you log in with your iPhone, you’ll have the keychain on your iPhone, iPad, and Macbook. The keys are stored in an encrypted folder online that only you, the user, can access.
To sum up;
-
You log on to a website
-
You choose which device to use
-
Two encrypted keys are generated; one unique for you, and one public for the website
-
When you log in, the key will allow the forwarding of an authentication
-
You authenticate the forwarding with a fingerprint, facial recognition, pin or similar.
-
Your key is stored online and your keys are shared across devices
You can then log on to websites and applications without a password, using passkeys instead.
An example of device bound passkeys in a more practical sense
Understanding how passkeys work can be a bit tricky, so here’s how they work in practice:
Imagine that you want to sign up to a website - one that supports passkeys, mind you. You start by creating a user account and choose to secure it with passkeys instead of the classic password.
The server on the website shares some information about the site, and asks you to confirm your authentication; it can be either your phone, computer or tablet.
A passkey is then created specifically for the website you are logging into. All this happens locally on your user's device. Once the two encrypted keys are created, the public one is sent to the website and the unique key remains safely on your device.
The next time you log into the website it will make an “challenge”, like the aforementioned “question” - your authentication will then answer this question using your unique key, and then send a final signature to the website. Finally, the website uses their key (which matches yours) to verify the signature. And then you’re done!
Services that support passkeys
A growing number of services are adopting passkey technology to provide a more secure and convenient login experience for their users. Here are some notable services that support passkeys:
-
Google: Google has integrated passkey support across its ecosystem, including the Google password manager. This allows users to access their Google accounts using passkeys, enhancing security and simplifying the login process.
-
Microsoft: Microsoft has also adopted passkey technology, enabling users to access their Microsoft accounts with passkeys. This integration helps to replace passwords with a more secure and user-friendly authentication method.
-
Amazon: Amazon has started to support passkeys, allowing users to log in to their Amazon accounts using this secure method. This move aims to improve online security and reduce the risk of account breaches.
-
GitHub: GitHub, a popular platform for developers, has embraced passkey technology to provide a more secure login experience. By using passkeys, GitHub ensures that developers can access their accounts safely and efficiently.
-
Dropbox: Dropbox, a leading cloud storage service, has also integrated passkey support. This allows users to access their accounts using passkeys, offering a more secure and convenient way to manage their online storage.
By adopting passkey technology, these services are taking significant steps to enhance online security and provide a better user experience.
The benefits of using passkeys unlike passwords
There are many reasons why passkeys are easier and better to use than traditional passwords. So we’ll present some to you here:
A mobile device can serve as an authenticator that enhances convenience, speed, and security by enabling quick and secure logins using biometrics, such as fingerprint or facial recognition, especially when synced across multiple devices.
All passkeys are unique and thus stronger
As you may know, most password recovery systems ask you to create strong passwords. They need to be longer and more unique with numbers, unique characters and upper and lower case letters. If you use passkeys, don’t worry about having to come up with a unique password - where you’ll end up reusing your old passwords anyway - this is also not hard for hackers to crack. That’s why passkeys are optimal to use, since you don’t have to think about making passwords and can leave the complicated stuff to the devices you use for it.
Your unique key is not shared with the website you are logging into
Unlike passwords, your passkey is not shared with the website you are logging into. Your passkey is stored on your own device and the online store you’ve linked it to - nowhere else. The website you sign up to stores the public key used to log in to the website.
Your public key cannot be used to track down your unique key
You also don’t have to worry about your unique key being traced through the public key that websites hold. So if a cybercriminal hacks a website you have a user on, they can’t use the public key to find your unique key and hack your profile.
Passkeys are a secure tool to avoid phishing attacks and social engineering
Hackers will most often impersonate others, or create social media-like websites where you have to create a login. By signing up to them, you give the hacker free access to your computer and data. But if you use passkeys, which belong to WebAuthn (short for web authentication), you avoid falling into the hacker’s trap. WebAuthn verifies websites to make sure they are safe to use.
If you're curious about how phishing works, learn more in our blog post. Likewise, you can explore the tactics behind social engineering here.
The future of passkeys to replace passwords
It's a bright future for ease of use when it comes to secure web browsing - especially for those of us who can't remember long, difficult passwords. The good thing about passkeys is that you can't write them down on a piece of paper - as opposed to having passwords stolen this way. Passkeys are a secure system that even avoids having to remember passwords and other security measures.
Work is underway to transfer keys between "ecosystems", i.e. Windows, Apple, Google, etc. This is still a problem if you want to switch systems - you have to transfer the keys manually; it would be preferable to be able to transfer them easily between ecosystems. This is being discussed precisely because as a user you verify each key to avoid a virus going in and transferring all the unique keys you have. It is first and foremost about cyber security, which is the cornerstone of passkeys.
This post has been updated on 31-01-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup