How Passkeys Work

Passkeys use the same FIDO2-based WebAuthN support already built into every major browser, and the passkey is only offered to the relying (originating) party and only accessed by the authorized user.

Passkeys are saved automatically in the background on the devices to which they were issued. These will typically be the Android or iOS phone, iPadOS tablet, or Windows/macOS laptop used primarily by the end user. They also can include FIDO2 security keys (those sold by Yubico and others) in security-conscious organizations, or security-conscious users willing to deal with a little more hassle and potential for loss to improve overall security by separating the storage of the passkey from the computing device itself.

Passkeys work through the concept of key pairs, where private keys are stored on the user’s device and public keys are stored on the site that generated the initial key pair and passkey. 

Once a passkey is issued, when a user revisits the site or one in its namespace, the issuer will create a random challenge to the user’s device, which will be responded to using the locally saved private key that was saved as a part of the passkey. The site will then grant access if the challenge matches the result assessed with its saved public key and deny access if it does not match.