Passkeys are another use of public/private key cryptography for the purposes of authentication.

With public/private key cryptography, there’s some really fancy maths that basically make it so that anything encrypted with the public key can only be decrypted with the private key, and anything encrypted with the private key can only be decrypted with the public key. This is what is used in HTTPS to ensure that other people can’t intercept your credit card number when it’s being sent to the server.

When you use a passkey, you generate a public/private keypair, and you send the public key to the server. The private key stays on your device, and is protected by an application that requires some simpler authentication (like a fingerprint) to access it. When the website asks you to log in via passkey, it sends you a challenge, which your browser will encrypt using the private key. It sends the encrypted value back, and the server uses your public key to decrypt it and confirm it got the matching value.

It protects against phishing attacks, because the user never has the opportunity to write a password on a malicious website. It protects against Man in the Middle attacks because there’s a new challenge value every time. It protects against password reuse because there’s no password to reuse.