ID Tech

Passkeys / FIDO2 / WebAuthn

Passwordless authentication based on public-key cryptography, delivered through WebAuthn (W3C) and CTAP (FIDO).

Overview

Passkeys implement passwordless login using public-key cryptography. Users authenticate with a device-bound credential and local user verification (biometric or PIN), via the WebAuthn API and CTAP protocols.

How it works

  1. Registration: Site asks for a new credential via WebAuthn; an authenticator creates a key pair and returns a public key + attestation.
  2. Authentication: Site sends a challenge. Authenticator signs it with the private key after local user verification.
  3. Device portability: Platform sync or roaming authenticators (security keys) enable use across devices in line with vendor policies.

Common use cases

  • Consumer sign-in replacing passwords
  • Workforce phishing-resistant MFA
  • Step-up auth for high-risk transactions

Strengths and limitations

Strengths: Phishing resistance; no shared secrets; fast UX.
Limitations: Cross-ecosystem portability; attestation policy; account recovery patterns.

Key terms

  • WebAuthn: W3C API for creating/using credentials.
  • CTAP: FIDO protocol between client and authenticator.
  • Attestation: Evidence about the authenticator model/security.

References

Vendors using Passkeys / FIDO2 / WebAuthn

Thales GroupKeylessIntercede Group plcSwissbit AG

Latest Data Cards

  • Data Card

    Aware announces third-party testing results across PAD, bias testing, DHS RIVR, and passkey readiness

    2026-02-17CC-BY-4.0padpasskeys-webauthnfacial-recognitionaware

    Aware released external validation results across ISO/IEC 30107-3 Level 2 presentation attack detection, ISO/IEC 19795-10 bias testing, DHS Rapid Identity Verification Rally participation, and FIDO2 passkey readiness.

    • Aware achieved ISO/IEC 30107-3 Level 2 PAD certification, covering advanced presentation attack scenarios.
    • The company also demonstrated ISO/IEC 19795-10 bias testing compliance and FIDO2 passkey readiness.
    • DHS RIVR participation builds on Aware's top performance in prior DHS security testing announced in June 2025.
  • Data Card

    Swissbit Adds HID Seos Support to iShield Key 2, Expands Enterprise Passkey Use

    2025-12-12CC-BY-4.0passkeys-webauthnswissbit

    Swissbit added HID Seos support to its iShield Key 2 portfolio, positioning a single enterprise token for both FIDO2/WebAuthn passkeys and physical-access credential deployments.

    • The update adds Seos support for physical access systems alongside FIDO2 authentication capabilities.
    • Swissbit describes multiple iShield Key 2 variants, including a Pro version aimed at broader credential use cases.
    • The announcement reflects enterprise interest in consolidating logical-access and physical-access credentials.
  • Data Card

    Sumitomo Mitsui Trust Bank Moves Mobile Customers to FIDO Cloud Authentication with OneSpan

    2025-11-17CC-BY-4.0passkeys-webauthn

    Sumitomo Mitsui Trust Bank is migrating mobile users to phishing‑resistant, FIDO‑based cloud authentication with OneSpan, replacing passwords with passkeys built on WebAuthn/FIDO2.

    • Bank‑scale rollout of passkeys for mobile customers
    • Cloud authentication built on WebAuthn/FIDO2
    • Targets stronger security and simpler sign‑in
See more data cards

Frequently Asked Questions

What is a passkey?
A FIDO credential (public/private key pair) bound to a user and relying party. The private key stays on the device; the public key is registered with the service.
How is this phishing-resistant?
Credentials are origin-bound and never revealed; a signed challenge is produced locally after user verification (biometric or PIN).
CTAP vs WebAuthn?
WebAuthn is the browser API; CTAP connects clients to authenticators (platform or roaming security keys).
What’s the difference between multi-device and single-device passkeys?
Single-device credentials live only on one device; multi-device credentials can sync across an ecosystem under vendor security policies.
How do recoveries and device loss work?
RPs should provide recovery paths (additional authenticators, admin-recovery, or re-enrollment) while balancing phishing resistance and account takeover risks.