It is the next evolution in internet account security.

– We started with passwords – a secret word that only you know. You give that word to the website and they give you access to your account. The issue here was obvious – **anyone** who knew the word could get access

– We then moved to SMS-based MFA (multifactor authentication). After you put in your password, a code would get texted to you to verify you were you. Better than just passwords, but not great – if someone could get access to your phone number (by stealing your SIM card or getting the number ported to a new phone) then they could get your codes.

– We then moved to app-based MFA. You’d install a special app that would generate codes for you. When you registered that app with a website, you’d need the code from that app to get access. Much better than anything before it, but not been adopted by all that many people.

– Now, we have passkeys. Your phone will register with the website and you’ll get those special codes on your phone, just like app-based MFA, but _without having to install a special app_. Hopefully, this will drive adoption much higher.

Passkeys are another use of public/private key cryptography for the purposes of authentication.

With public/private key cryptography, there’s some really fancy maths that basically make it so that anything encrypted with the public key can only be decrypted with the private key, and anything encrypted with the private key can only be decrypted with the public key. This is what is used in HTTPS to ensure that other people can’t intercept your credit card number when it’s being sent to the server.

When you use a passkey, you generate a public/private keypair, and you send the public key to the server. The private key stays on your device, and is protected by an application that requires some simpler authentication (like a fingerprint) to access it. When the website asks you to log in via passkey, it sends you a challenge, which your browser will encrypt using the private key. It sends the encrypted value back, and the server uses your public key to decrypt it and confirm it got the matching value.

It protects against phishing attacks, because the user never has the opportunity to write a password on a malicious website. It protects against Man in the Middle attacks because there’s a new challenge value every time. It protects against password reuse because there’s no password to reuse.

Authentication is proof of your identity and often done with a password.

If someone knows your pasword, that person would have complete access to your account.

In order to reduce the risk of an account comprimise when your password is stolen, multi factor authentication is used. This involves another factor that can’t be copied.

MFA authentication is always *interactive* by the user.

Today, it is often other applications that need (partial) access to your account. Ex: An email client wants access to your mails, etc…

If you only use your email client to read mail, authentication can still use MFA as reading mail involves you as human.

However, if you want to give other applications access to your data, and expect it to run non-interactively in the background, MFA can’t be used.

For those use cases (non-interactive, but secure logon) using passkeys is a specific way to do this.
Instead of having a short static string (such as a password) it is a long key that changes over time and is often bound to a specific device only, so it can only be used on that device.If not, it is saved in a hardware security module on the device itself, so it can’t be compied.

TL;DR: A specific way to perform a non-interactive, but secure authentication.