Passkeys are a form of user authentication that aims to be more secure and user-friendly than traditional passwords.

  1. Cryptographic Keys: Passkeys are based on public key cryptography. When you register with a service, it generates a pair of cryptographic keys - one public and one private. The public key is stored on the server, while the private key is securely stored on your device (such as a smartphone or laptop).

  2. Authentication Process: When you want to log in to a website or app, the service will send a challenge to your device. Your device signs this challenge using the private key and sends it back. If the signature matches the public key stored on the server, the authentication is successful. This process is seamless and often involves simply using a biometric (like a fingerprint or face scan) or a local PIN on your device.

  3. Security Benefits:

    • Phishing Resistance: Passkeys are not susceptible to traditional phishing attacks because there's no secret like a password that you enter on potentially malicious sites. The authentication process happens locally on your device.

    • No Stored Secrets: Unlike passwords, which are often stored (hopefully in a hashed form) on servers, passkeys rely on a private key that never leaves your device. This significantly reduces the risk of mass credential leaks.

    • Unique for Each Service: Each service or site you use will have a different pair of cryptographic keys, so even if one service is compromised, your other accounts remain secure.

Apple and Google's Role in Passkeys:

  • Local Storage: The private part of the passkey (the part that proves your identity) is stored securely on your device. For example, on Apple devices, it might be stored in the Secure Enclave, and on Android devices, in a similarly secure environment. This private key never leaves your device.

  • No Knowledge of Associations: In theory, because the authentication happens locally on your device and only a public key is stored on the server of the service you're accessing, Apple or Google wouldn't know which passkey is linked to which email or service. They are designed to facilitate the creation, storage, and use of these keys without having visibility into their usage.

Privacy Design of Passkeys:

  1. Decentralization: The passkey system is decentralized. The service you are logging into only keeps a public key, which is useless without the corresponding private key held on your device. There's no central repository of passkeys that Apple or Google control or access.

  2. No Identifiable Information: When you use a passkey, the service you're logging into doesn't receive any inherently identifiable information from the passkey itself. It only knows that the user who registered the passkey is the same one now presenting the corresponding private key.

  3. Biometric Data: When biometrics like fingerprints or facial recognition are used to authorize the use of a passkey, that data is processed locally on your device and is not shared with Apple, Google, or the service you're logging into.

Last updated