Passkeys and the Future of Web Authentication

Over the years, web authentication has undergone many evolutions. From the days of HTTP basic auth to the modern practices of multi-factor authentication and OAuth, software professionals are constantly inventing new ways to help ensure the security of your accounts. Recently, a new tool has begun to make waves in the authentication scene: passkeys. Major software products are already incorporating passkeys, signaling a potential end to password-based authentication.

What are Passkeys?

Passkeys utilize an old cryptographic method known as asymmetric encryption to verify that a user is who they claim to be. Unlike passwords, which rely on a shared secret, passkeys involve a pair of keys. One is a freely-shared public key, and the other is a private key the user holds. These public and private keys are mathematically linked, meaning a message encrypted by one can only be decrypted by the other.

How do they work?

Here is an example workflow for authenticating with a passkey:

  1. When creating an account, the server will store the user’s public key in place of a password.
  2. The client makes a request to log in, which causes the server to send a challenge in return.
  3. The challenge prompts the user to provide access to their private key (this can be through a PIN or biometrics), to sign the challenge. The signed challenge as well as the username are sent in response to the server.
  4. Using the username, the server will query for the public key, and check the validity of the signed challenge. If verified, the server can then safely assume the user is who they say they are and establish a session.'/login', (req, res) => {
    const { username, signedMessage } = req.body;

    // Fetch user's public key from the database
    const publicKey = userDatabase[username].publicKey;

    // Verify the signature using the public key
    const verify = crypto.createVerify('SHA256');
    const verification = verify.verify(publicKey, signedMessage, 'hex');

    if (verification) {
        res.status(200).json({ message: 'Login successful' });
    } else {
        res.status(401).json({ message: 'Invalid passkey' });

Why use Passkeys?

Traditional security risks associated with passwords become non-factors with passkeys. Take data leaks, for instance. With passwords, a data leak could reveal your password to the public. Conversely, when you use a passkey, it’s the public key that would be exposed in the event of a leak. A public key is just that: public. Anyone can view it, save it, share it, etc.. Its owner faces no risk because the private key is securely stored on the owner’s device(s). Consequently, this also renders phishing and man-in-the-middle attacks powerless as the private key is never sent over the network.

In addition, passkeys offer a significant advantage by eliminating the need for users to memorize complex passwords. This not only enhances user convenience but also reduces the risk of weak password usage. Moreover, passkeys play a crucial role in preventing the practice of sharing passwords across multiple accounts. Passkeys eliminate the security risk posed by the reuse of passwords across different platforms. This not only enhances overall security but also ensures a more robust and individualized approach to user authentication.

Will passwords become obsolete?

The answer to this question is almost certainly no (for now). While major software products continue to integrate passkeys, passwords remain deeply ingrained in the current culture, ensuring they are not going anywhere anytime soon.  The complete displacement of passwords will require a gradual transition. A password-free future may be possible, but it will require broad industry acceptance and widespread user education. However, passkeys are an incredible invention, and their security benefits and continued support make them an indispensable asset in enhancing overall digital security.

  • Isaiah Erven says:

    Very insightful, appreciate this write-up!

  • Join the conversation

    Your email address will not be published. Required fields are marked *