How do Passkeys work? #

It’s a riddle wrapped in a mystery inside an enigma… — Winston Churchill

Passkey technology, along with WebAuthN based on the FIDO2 standard, is quickly becoming the go-to authentication method, replacing traditional email/password setups to enhance security and prevent data leaks. After the July 4th, 2024 ‘RockYou2024’ data leak exposed nearly 10 billion plain text passwords, along with several high-profile authentication breaches earlier this year, developers worldwide are urgently seeking a more secure solution. The Passkey standard, initially proposed by Microsoft, is emerging as the best-in-class technology to address these pressing threats. However, as a new standard, implementing it can be challenging for developers.

Passkey Advantage #

What makes Passkey superior to email/password methods and two-factor authentication is its foundation in public/private key encryption. This ensures that the interaction between a client device and the authenticating server is virtually unhackable by external parties. With no passwords involved, there’s nothing to guess or steal, even in the event of a server breach.

In the Passkey/WebAuthN protocol, the client device stores private keys on an encrypted keychain, accessible only through the user’s biometric data, such as thumbprints or facial recognition. The authenticating servers only store the corresponding public key, which, even if breached, is useless to a malicious party.

Passkey Work Flow #

So how does Passkey work? Good question. The answer is actually quite simple, and it’s best explained with the following diagram.

First, a client device attempting to authenticate into a cloud account contacts the Authenticating Server and requests a randomly generated 128-bit challenge. Second, the client packages this challenge into an authentication data structure and signs it using the private key stored on its keychain, corresponding to the user’s key ID for the specific application. Third, the user is prompted for biometric authentication (thumbprint or facial recognition) to authorize the private key signing. Fourth, once the authentication data is signed, it’s sent to the authentication server for processing. Fifth, the server retrieves the public key associated with the key ID in the authentication data and verifies the signature. If the public key matches the signature, the device is authenticated; if not, the device is flagged as fraudulent.

Because the private key never leaves the client device’s keychain, it’s secure from malicious access. Without the private key, authentication is impossible. Unlike passwords, private keys can’t be guessed or leaked, and even the fastest computers today would take about 4 trillion years to crack them using brute force!

When a Passkey is first created for an application, it’s usually linked to a verifiable handle, such as an email or phone number. The legitimacy of this handle is confirmed by sending a six-digit code to the handle, which the user returns to the authentication server to prove ownership. Since the account doesn’t exist yet, there’s no risk of hacking. However, authentication servers must ensure that accounts aren’t created in someone’s name (or handle) without the owner’s explicit permission. This is where multi-factor code-based authentication plays a role during Passkey account setup.