Passkeys

Key points

Passkeys are FIDO2 credentials, but stored and synced by the OS / browser / password manager — not stuck on one device.
They eliminate phishing because the credential is cryptographically bound to the website's origin.
They unlock with the device's local biometric (Face ID, Touch ID, Windows Hello) — but the biometric stays on-device.
Apple, Google, and Microsoft sync passkeys across their respective ecosystems; 1Password, Dashlane, and Bitwarden sync cross-platform.
Device-bound passkeys (e.g. on hardware security keys) are the strongest variant — required for some regulated workflows.

What are passkeys?

Passkeys are a user-friendly form of FIDO2 credentials designed to replace passwords entirely. Under the hood a passkey is a public/private key pair generated on the user's device. The private key never leaves the device (or the encrypted sync fabric). The public key is registered with the website. When the user signs in, the website challenges the device, the device signs the challenge with the private key — typically after a local biometric check — and the website verifies the signature.

Passkeys are phishing-resistant by design: the credential is bound to the website's origin by the browser, so a lookalike phishing site simply cannot complete the ceremony.

What's different from older FIDO2 keys?

The FIDO2 protocol has existed since 2018. The breakthrough with passkeys (2022) is portability:

Synced passkeys are backed up and synced across the user's devices via their platform account (Apple iCloud Keychain, Google Password Manager, Microsoft account) or a third-party password manager (1Password, Dashlane, Bitwarden).
Device-bound passkeys live on a single device or hardware key (YubiKey, SoloKey) and never leave it.

For consumer and workforce apps, synced passkeys are the default — they solve the "I lost my one device, now I'm locked out" problem that held FIDO back for years.

When buyers care

Add passkey support when:

You're a CIAM buyer and want to reduce account-takeover and password-reset support costs.
You're a workforce identity buyer chasing phishing-resistant MFA for compliance or insurance.
You're a SaaS vendor and your buyers are asking for it (increasingly common).

For high-assurance workflows (admin, financial transactions, healthcare), prefer device-bound passkeys on hardware keys — synced passkeys are only as strong as the sync account's recovery flow.

How rollout typically goes

Phase 1: Offer passkeys as an additional MFA option alongside TOTP/SMS.
Phase 2: Make passkey the preferred sign-in method on the login page.
Phase 3: Allow passkey-only accounts (no password fallback) for opted-in users.
Phase 4: Deprecate password registration for new accounts.

Most organizations live in Phase 2 for a long time.

Common pitfalls

Recovery is the hard part. If the user loses their sync account, they lose their passkeys. Plan recovery flows that don't reintroduce phishable factors.
Treating synced passkeys as device-bound in compliance documentation. Auditors increasingly care about the distinction.
Forgetting the "AAGUID" check when you need to restrict which authenticator vendors are allowed (regulated environments).

FAQ

Are passkeys MFA?

On modern platforms passkeys typically combine possession (the device with the private key) and inherence (the biometric used to unlock it). They satisfy MFA requirements in most frameworks and they're phishing-resistant — which TOTP and SMS aren't.

Do passkeys work cross-platform?

Yes, both via cross-device sign-in (a QR code that uses your phone to authenticate to a laptop on a different ecosystem) and via cross-platform password managers.

What's the difference between a passkey and a YubiKey?

A YubiKey can hold device-bound FIDO2 credentials — those are passkeys that don't sync. "Passkey" by itself usually refers to the synced flavor.