Passkeys are an authentication technology that logs a user into a website without using a username and password. Instead, passkeys log a person in using their already-authenticated personal device and a pair of cryptographic keys. Since passkeys use the same fingerprint, facial scan, or PIN the user unlocks their device with, they make logging into a website faster, easier, and more secure.
When someone first creates a passkey for an account, their device generates two cryptographic keys — one private key stored on their device, and one public key stored on the server of the website or service for the account. When they attempt to sign in, the server and the user's device do not exchange keys; instead, the server sends a mathematical challenge to the user's device, which solves it by combining an algorithm and the private key. The device sends that solution back to the server, which validates it using the public key. Neither the server nor the user's device ever possesses both keys.
By removing usernames and passwords from the process, passkeys can prevent several types of security problems. First and foremost, there are no usernames and passwords to steal — no weak passwords to guess, and no credentials vulnerable to a phishing scam. If a website's server is compromised, it only knows the public key. If a user's device is stolen, a passkey login still requires a biometric scan or PIN entry before granting access.
NOTE: Using a passkey to log in to a website or service requires the support of the device's operating system and web browser. The passkey standard is a collaboration between Apple, Google, Microsoft, the FIDO alliance, and the WWW Consortium. This group is working together to include support for passkeys in their software and hardware devices.