In order to understand passkeys and the WebAuthn API, it’s important to familiarize ourselves with some key terms. Here are the definitions of relevant terms:
**Relying Party**: The server you authenticate against. In this article, we will use the term “server” to refer to the Relying Party.
**Client**: Refers to the web browser or operating system.
**Authenticator**: Software and/or hardware devices that allow the generation and storage of public key pairs.
**FIDO**: An open standards body that creates specifications related to FIDO credentials.
**WebAuthn**: The underlying protocol for passkeys, also known as FIDO2 credential or single-device FIDO credentials.
**Passkeys**: Refers to WebAuthn credentials with cloud syncing capabilities. Also known as multi-device FIDO credentials, discoverable credentials, or resident credentials.
**Public Key Cryptography**: A generated key pair that includes a private and public key. Depending on the algorithm, it is used for signing and verification or encrypting and decrypting. Also known as asymmetric cryptography.
**RSA**: An older family of public key cryptography based on factoring primes, named after its creators: Rivest, Shamir, and Adleman.
**Elliptic Curve Cryptography (ECC)**: A newer family of cryptography based on elliptic curves.
**ES256**: An elliptic curve public key that uses an ECDSA signing algorithm with SHA256 for hashing.
**RS256**: Similar to ES256, but it uses RSA with RSASSA-PKCS1-v1.5 and SHA256.
**What are Passkeys?**
Passkeys are a specification built on top of the WebAuthn protocol (also known as FIDO2). WebAuthn allows for public key cryptography to replace passwords. With passkeys, we use a security device (such as a hardware key or Trusted Platform Module) to generate private and public keys. The public key is available for anyone to use, while the private key remains on the device that created it. The issue with WebAuthn was that if you lost the device, you would lose access. Passkeys solve this problem by providing cloud sync capability for credentials. This means that the keys generated on your computer can also be used on your phone, with the ability to sync them across devices. Currently, only iOS, macOS, and Android provide full support for cloud-synced passkeys, but their usage is limited by the browser being used. Google and Apple provide interfaces for syncing via their Google Password Manager and Apple iCloud Keychain services.
**How do Passkeys Replace Passwords?**
Passkeys replace passwords by employing a signing mechanism in public key cryptography. Signing involves running a piece of data through a signing algorithm with the private key. The resulting signature can then be verified using the corresponding public key. This replaces the need for a password, as the server stores the public key and authenticates the user’s identity by verifying that they possess the other half (private key). Storing the user’s public keys in a database eliminates the risk of password breaches affecting millions of users. This reduces the occurrence of phishing attempts, breaches, and other security issues associated with traditional password-based authentication. In addition, passkeys eliminate the need to remember multiple passwords, as the browser remembers the credentials used for each website, allowing for quick and convenient logins. Passkeys can also be paired with secondary means of verification, such as biometrics or a PIN, to enhance security.
**More about Cryptography**
Public key cryptography involves the use of a private and public key pair. These keys have separate purposes. The private key is kept secret, while the public key is shared with anyone you want to exchange messages with. Encryption and decryption of messages are achieved by using the recipient’s public key to encrypt a message that can only be decrypted by the recipient’s private key. This provides confidentiality. However, it doesn’t provide proof of the sender’s identity, as anyone can potentially use a public key to send an encrypted message. To verify the sender’s identity, signing and signature verification are used. In public key cryptography, this is done by signing the hash of a message with the sender’s private key. The signature can then be verified using the sender’s public key, confirming the authenticity of the message.
**How to Access Passkeys?**
To access passkeys, they need to be generated and stored somewhere. This functionality can be provided by an authenticator. An authenticator can be either a hardware or software-backed device that enables cryptographic key generation. Examples include software authenticators like Google Authenticator, 1Password, or LastPass, which utilize the Trusted Platform Module or secure enclave of a device to create credentials. Hardware authenticators like YubiKey can generate and store keys directly on the device. Accessing the authenticator requires an interface, which is provided by the Client to Authenticator Protocol (CTAP). CTAP allows for access to different authenticators through various mechanisms such as NFC, USB, and Bluetooth. An interesting use of passkeys is through Bluetooth connection between a phone and a device that doesn’t support passkeys. By pairing the devices over Bluetooth, it’s possible to log into the browser on the computer using the phone as an intermediary.
**The Difference Between Passkeys and WebAuthn**
Passkeys and WebAuthn keys differ in several ways. Passkeys are considered multi-device credentials that can be synced across devices, while WebAuthn keys are limited to single-device credentials. WebAuthn keys require a user handle and an allowCredentials list to identify which credentials can be used to log in. Passkeys, on the other hand, use the server’s domain name to indicate which keys are already bound to that site. Passkeys provide a more convenient and seamless experience for users.
Overall, passkeys offer a secure and user-friendly alternative to traditional password-based authentication. With their ability to sync credentials across devices and eliminate the risk of password breaches, passkeys are emerging as the future of authentication and password management. By familiarizing ourselves with the terminology and concepts behind passkeys and WebAuthn, we can better understand and adapt to this evolving technology.