**Password**
* You: can i create an account?
* Website: hey tell me a secret word so I can create your account
* You: ok cool, my secret word is [redacted]
* Website: bet, welcome to the site
* You: *tries to login again*
* Website: hey, what’s our secret word?
* You: it’s [redacted]
* Website: ok it matches, welcome back
**Passkeys**
* You: can i create an account?
* Website: hey, i’m going to work with your device to create a key pair. One of them only your device will know (the private key) and the other key is a public key which will be sent to me so I can recognize you. Please allow this with your device biometric or PIN.
* You: sure thing, here’s my FaceID (or PIN)
* Website: great, welcome to the site
* You: *tries to login again*
* Website: hey, i’m going to ask your device to you match your private key with my public key. Please allow this with their device biometric or pin.
* You: here’s my FaceID (or PIN)
* Website: great, it was a successful match. welcome back
I realize that the passkey section looks longer but from the user’s perspective, you’re now able to login to an application the same way that you login to your device every day.
And from a security perspective, there’s always risk that a website can get their database breached so the passwords stored are not safe. Whereas with passkeys, the website never sees or stores your private keys so your authentication secret remains out of reach of attackers.
Latest Answers