In short, instead of relying on a memorized password, a key is stored in the user device and that is used instead to authenticate the user.

This helps avoid the reliance of a user having to memorize many passwords, and potential reuse the same password in multiple places.

A password is just a special word that (hopefully) only you know that authenticates you with a service. The pros are that it is very easy to use; the con is that if anyone can guess the word then they have full access.

A passkey is a device that has registered itself with the service as the means to grant access. When you try to log in, the service will ping the device and you have to authorize yourself using that device. This is **much** more secure, as you can’t just guess a word anymore; you have to have possession of a physical object, which _itself_ is typically secured with a password.

It’s a user friendly way to use public key cryptography for signing in. You’ve probably heard the term “multi factor authentication”. A factor is just a thing that helps prove your authenticity.

The various factors for MFA include:

1. **Knowledge Factor (Something you know)**:
– Passwords
– PINs
– Security questions

2. **Possession Factor (Something you have)**:
– Mobile device (e.g., smartphone)
– Smart cards
– Security tokens

3. **Inherence Factor (Something you are)**:
– Biometrics (e.g., fingerprints, facial recognition, iris scans)
– Voice recognition

MFA combines at least two of these factors.

Public key cryptography is a way to keep information secure by using two keys: a public key and a private key. The magic is that what one key encrypts only the only key can decrypt.

The is called asymmetrical encryption.

If I know your public key, I can give you some text to encrypt and you can use your private key to encrypt it and send it to me. With the public key I can decrypt it and check the result. This proves you are the controller of that key pair.

It also works in reverse where I can encrypt a message for you using your public key and only you can decrypt with it with the private key.

Lots of things you do everyday like secure websites and biometric authorization of mobile payments leverages these ideas.

**Password**

* You: can i create an account?
* Website: hey tell me a secret word so I can create your account
* You: ok cool, my secret word is [redacted]
* Website: bet, welcome to the site
* You: *tries to login again*
* Website: hey, what’s our secret word?
* You: it’s [redacted]
* Website: ok it matches, welcome back

**Passkeys**

* You: can i create an account?
* Website: hey, i’m going to work with your device to create a key pair. One of them only your device will know (the private key) and the other key is a public key which will be sent to me so I can recognize you. Please allow this with your device biometric or PIN.
* You: sure thing, here’s my FaceID (or PIN)
* Website: great, welcome to the site
* You: *tries to login again*
* Website: hey, i’m going to ask your device to you match your private key with my public key. Please allow this with their device biometric or pin.
* You: here’s my FaceID (or PIN)
* Website: great, it was a successful match. welcome back

I realize that the passkey section looks longer but from the user’s perspective, you’re now able to login to an application the same way that you login to your device every day.

And from a security perspective, there’s always risk that a website can get their database breached so the passwords stored are not safe. Whereas with passkeys, the website never sees or stores your private keys so your authentication secret remains out of reach of attackers.

Traditional password uses a secret value that *you* have to remember.

while Passkey uses your face or fingerprint, to unlock the secret value that is remembered by a *device*.

And we can be assured that the secret value remembered by the device is much more secure than what you can remember. In addition, it is easier for you to use that secret value. Another bonus: if there are more secure way to unlock the secret value, like retina scan or blood vein verification, only user device needs to be changed.

*the above is actually FIDO2, passkey is when the secret value can travel across devices, like iCloud.

Strong authentication requires multiple forms of proof that you are who you say you are. Passwords are based on one form, known as “something you know” (the password). Passkeys are based on two forms, “something you have” (your device) and “something you are” (your biometric information.

Passkey is any other form of verification that is not a password (inputting a string of characters). For example biometrics like your face or fingerprints, a pin or swipe pattern.

The difference is that they cannot be used to log in to a different device even if it’s the same account. The selling point is that they are really fast to log into and almost as secure as passwords.