Passkeys are a FIDO2-based replacement for passwords — cryptographic credentials tied to a specific website or app, stored on the user's device (iPhone, Android, laptop), and authenticated using the device's biometric or PIN.
⚙️ How Does It Work?
When creating a passkey, the device generates a public-private key pair. The public key is stored on the server; the private key never leaves the device. Login uses the device biometric (Touch ID, Face ID) to sign a challenge with the private key.
📍 Where Is It Used?
Consumer apps and websites (Apple, Google, Microsoft, PayPal all support passkeys), enterprise IAM platforms deploying FIDO2 passwordless authentication.
💡 Real-World Example
A user signs up for a website and creates a passkey stored on their iPhone. Next login: they tap the website, authenticate with Face ID, and they're in — no password typed, no OTP copied, completely phishing-resistant. If the server is breached, there's no password database to steal.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →