ID Tech

Passkeys / FIDO2 / WebAuthn

Passwordless authentication based on public-key cryptography, delivered through WebAuthn (W3C) and CTAP (FIDO).

Overview

Passkeys implement passwordless login using public-key cryptography. Users authenticate with a device-bound credential and local user verification (biometric or PIN), via the WebAuthn API and CTAP protocols.

How it works

  1. Registration: Site asks for a new credential via WebAuthn; an authenticator creates a key pair and returns a public key + attestation.
  2. Authentication: Site sends a challenge. Authenticator signs it with the private key after local user verification.
  3. Device portability: Platform sync or roaming authenticators (security keys) enable use across devices in line with vendor policies.

Common use cases

  • Consumer sign-in replacing passwords
  • Workforce phishing-resistant MFA
  • Step-up auth for high-risk transactions

Strengths and limitations

Strengths: Phishing resistance; no shared secrets; fast UX.
Limitations: Cross-ecosystem portability; attestation policy; account recovery patterns.

Key terms

  • WebAuthn: W3C API for creating/using credentials.
  • CTAP: FIDO protocol between client and authenticator.
  • Attestation: Evidence about the authenticator model/security.

References

Vendors using Passkeys / FIDO2 / WebAuthn

Thales GroupIntercede Group plc

Latest Data Cards

  • Data Card

    Sumitomo Mitsui Trust Bank Moves Mobile Customers to FIDO Cloud Authentication with OneSpan

    2025-11-17CC-BY-4.0passkeys-webauthn

    Sumitomo Mitsui Trust Bank is migrating mobile users to phishing‑resistant, FIDO‑based cloud authentication with OneSpan, replacing passwords with passkeys built on WebAuthn/FIDO2.

    • Bank‑scale rollout of passkeys for mobile customers
    • Cloud authentication built on WebAuthn/FIDO2
    • Targets stronger security and simpler sign‑in
  • Data Card

    Germany Moves Government Services to Passkeys

    2025-10-02CC-BY-4.0passkeys-webauthn

    Germany announced a program to replace passwords for government services with passkeys, aligning with WebAuthn standards to improve security and usability.

    • Government accounts to support passwordless login
    • Built on WebAuthn/FIDO2 platform authenticators
    • Part of a broader digital identity modernization agenda
See more data cards

Frequently Asked Questions

What is a passkey?
A FIDO credential (public/private key pair) bound to a user and relying party. The private key stays on the device; the public key is registered with the service.
How is this phishing-resistant?
Credentials are origin-bound and never revealed; a signed challenge is produced locally after user verification (biometric or PIN).
CTAP vs WebAuthn?
WebAuthn is the browser API; CTAP connects clients to authenticators (platform or roaming security keys).
What’s the difference between multi-device and single-device passkeys?
Single-device credentials live only on one device; multi-device credentials can sync across an ecosystem under vendor security policies.
How do recoveries and device loss work?
RPs should provide recovery paths (additional authenticators, admin-recovery, or re-enrollment) while balancing phishing resistance and account takeover risks.