Passkeys explained simply

Question

Passkeys will probably replace passwords in the future.

How do they work? Can you explain passkeys in simple words?

Answer

When you sign up to a website, instead of entering a new password, your browser generates a new key pair (private key and public key).

The public key is sent to the website and associated to your account (in the database).

The private key remains on your device and it’s used to sign the future log-in requests sent to the website.

The website can use the public key to verify that the requests are actually signed by you.

This offers great advantages because you don’t have to remember the passwords and you avoid password reuse, phishing, social engineering and many other sources of attack. Also, if the website database is compromised there isn’t any problem, because there are only the public keys (an attacker can only use them to verify a signature, but it cannot sign a request, so it’s safe).

Now you can easily sign in to that website easily and automatically from your device.

The problem is: what happens if you lose that device or you need to log in from a different device?

The solution is to save the private key also in an online password manager (e.g. Apple iCloud Keychain, Google Password Manager, 1password, etc.).

What if the online database of the password manager is compromised? No problem: the private keys are encrypted with a master password before being sent to the cloud storage. The master password is usually a pin, a biometric authentication (fingerprint) or the device password.

The password manager also allows to move the end-to-end encrypted keys from a device to another. For example if you have multiple Apple or Google devices, passwords are automatically shared and synced between all your devices. On a new device you obviously need to enter the master password to decrypt the private keys.

The private keys can also be shared between physically adjacent devices using Wi-Fi or Bluetooth (e.g. you can log in to a website using MacOS if you first signed up to the website with your Android device).