A passkey is a concept in which a user can sign in without having to enter a password. Passkeys use a cryptographic key that is tied to someone's device and identity. The user can be verified via facial recognition, fingerprint, or a PIN.

What is passwordless sign-in?

The term passwordless sign-in refers to sign-in methods in which the user does not need to enter a password. One example is the use of passkeys.

What is asymmetric encryption?

Asymmetric encryption is an encryption method in which you use two different keys. One is the private key that you keep secure. The public key can be shared with third parties. Secure communication requires both keys. If key 1 encrypts data, only key 2 can decrypt it, and vice versa.

Passkey

What is a Passkey?

A passkey is a relatively new and secure way to sign in to websites and apps. A password is no longer required; instead, you use a digital key that is stored on, for example, your phone, laptop, or tablet. Access to that digital key is protected with your fingerprint, facial recognition, or a PIN.

With traditional access security, you must use a unique, sufficiently strong password for each application. That requires considerable discipline from the user, and even then, there are numerous technical and social engineering tricks to obtain passwords anyway. These range from data breaches involving stolen passwords to phishing campaigns and keyloggers.

You avoid these vulnerabilities with passkeys. Passkeys use a secure verification protocol based on asymmetric encryption. Authentication uses a unique private key on the user's device, such as a laptop or smartphone, that is paired with a public key in the application. When signing in, the application asks the device to send a digital signature with the private key. That signature is verified with the public key in the application. No passwords or other sensitive data are exchanged.

You create a separate passkey for each application so that multiple passkeys can be stored on one device. Passkeys are created automatically; you do not need your own passkey generator or anything similar.

Passkeys are more secure, and signing in without a password is also much more user-friendly. You still need to prove your identity as a user. Otherwise, anyone who temporarily gains access to your laptop or smartphone could immediately sign in to your applications. Fortunately, modern user devices support biometric authentication, such as fingerprint scanners or facial recognition. That makes verification very simple. As soon as your fingerprint or face scan is confirmed, you can automatically sign in with your passkey.

The above is the ideal scenario. If a laptop or smartphone does not support biometric verification, you can use a PIN or password. Verification remains relatively simple because it involves one code for your device, regardless of how many passkeys you use. It can also be a relatively simple code. The PIN or password remains internal to the device, and the system prevents unlimited retries. The chance that your PIN or password is stolen through phishing or brute-force attacks is minimal.

Passkey Example

How does this work in practice? Below, we show how you can use a passkey to access, for example, a GitHub account. You use this passkey on a Windows laptop with Hello biometric authentication. To use a passkey, it must first be created once. After that, you can use it to sign in as often as you like.

Create a Passkey (One-Time)

Go to github.com and sign in the regular way with your username and password.
Then go to 'Settings' and inside that 'Password and authentication'.
Scroll to 'Passkeys' and select 'Add a passkey'.
A prompt appears, and you choose 'Use Windows Hello'.
You can now authenticate via Hello, for example, with your face or fingerprint.
The passkey is then created automatically and stored on your laptop.

A new passkey has been stored on your laptop and linked to your Hello profile. This passkey can be used from now on to sign in to your GitHub account.

You can find all installed passkeys, both this new one and previously created ones, under Windows Settings > Accounts > Password keys.

Use a Passkey to Sign In (As Often As You Like)

You can then use that passkey to sign in to your GitHub account:

Go to github.com and click 'Sign in'.
Select 'Sign in with a passkey'.
Windows now displays a prompt 'Use your passkey with Windows Hello?'
Confirm with your face, fingerprint, or PIN. After successful verification, you are signed in immediately.

From now on, you no longer need your username and password. In fact, you are now signing in with Multifactor Authentication (MFA). You start with something you are (via fingerprint/face scan) or know (the PIN). That activates the passkey on your device (something you have), and with it, you gain access to your account.

The example above uses GitHub. That is one of a growing set of applications that support passkeys. Microsoft also supports passkeys; for example, you can link Microsoft 365 to your laptop using one.

FIDO, The Passkey Standard

Gradually, more applications support passkeys, although usage is not yet universal. An organization that promotes adoption is the FIDO Alliance, which brings together major technology vendors such as Microsoft, Google, and Apple. FIDO stands for Fast IDentity Online and provides a set of standards that enable passwordless sign-in methods.

The original FIDO standard has existed since 2013, but recently, an update, FIDO2, was published. With it, you can use passkeys on laptops and smartphones, and verify users with biometric methods. FIDO2 includes several technical protocols:

WebAuthn. This is the World Wide Web Consortium (W3C) standard for remote passwordless sign-in. It provides a standardized sign-in protocol between user devices and remote applications.
CTAP. This acronym stands for Client-to-Authenticator-Protocol. Passkeys on user devices are not the only option for passwordless sign-in. Users can also use hardware keys such as a YubiKey. You can plug such a key into a laptop via the USB port and use it as an authenticator to sign in. CTAP standardizes data exchange between hardware authenticators and user devices.

Naturally, companies such as Microsoft, Google, and Apple actively use the FIDO standards themselves. We already gave an example of a passkey on a Windows laptop. You can also use passkeys on Apple devices, where users verify with Face ID or Touch ID. And Android devices support passkeys linked to Google accounts. Through passkeys, you can access many Apple, Google, and Microsoft applications, and more third-party applications are gradually adding passkey support. We already mentioned GitHub, and Adobe supports passkeys as well.

Advanced Passkey Scenarios

The earlier passkey example was a basic scenario; you sign in with a passkey installed on the same device. That will also be the most common scenario, but be aware that many more passkey scenarios are possible. We provide two examples:

You can synchronize passkeys between devices through the cloud. You can then sign in to the same application from multiple devices with the same passkey. From a management perspective, that is far simpler than creating a separate passkey on each device.
You can also use passkeys on your smartphone as an authenticator. If you want to sign in from a device that does not have your passkey installed, for example, you temporarily borrow someone else's laptop, the sign-in window will display a QR code. You can scan that code with your smartphone and sign in immediately with the passkey on your smartphone.

Benefits of Passkeys

Compared to traditional password-based sign-in, passkeys offer several advantages. We mentioned some along the way, but below are the highlights:

Stronger Security. User verification is performed using a cryptographic handshake between the application and the user device. No password data is exchanged, and phishing tricks cannot be used to copy access credentials. You use a unique passkey per application.
User-Friendly. Signing in with a passkey does not require long passwords, and at most, you enter a PIN. In most cases, you can use your fingerprint or facial recognition.
Fewer Passwords. The number of applications that support passkeys is increasing rapidly. That means you need to manage and remember fewer passwords.
Cross-Platform. Secure methods are available to synchronize your private keys across multiple devices via the cloud.
With Passkeys, You Automatically Have Multifactor Authentication. You sign in with something you are or know (via your PIN or biometric recognition), and the passkey is installed on something you have (your device).

Passkey Use Within Your IAM Environment

For personal use, passkeys are ideal replacements for passwords. There are also multiple options in corporate networks to enhance your access management, making it more secure and user-friendly. However, there are additional considerations. In a business environment, you must centrally manage passkey management. Normally, you provision accounts and permissions to your Identity Provider (IdP, such as AD or Entra ID) and target systems. Now you must consider integrating with your device management system, as passkeys are stored on user devices. This makes your access management more secure and simpler for users, but it can make identity management more complex.

It is also important to consider the relationship between passkeys and concepts such as Single Sign-On (SSO). If you use SSO, it is less logical for connected applications to use passkeys. You sign in to the IdP, and from there, the SSO mechanism controls who gains access to which applications. In that case, passkeys are less obvious. At the same time, a passkey is a much more secure sign-in method for central access to your SSO mechanism. You no longer need to sign in with a strong master password that must be absolutely secure. Instead, you sign in once with a passkey and, through SSO, you automatically have access to all your applications.

Want to Learn More About Passkeys?

You can already see that, from an IAM perspective, passkeys primarily serve to organize your access management. Within that domain, you can use passkeys to secure applications or, for example, as the central access to your Single Sign-On mechanism. Identity providers such as Entra ID already support passkeys alongside the authenticator on your smartphone. You will hear more about the possibilities in the coming period.