Passkeys / FIDO2 / WebAuthn
Passwordless authentication based on public-key cryptography, delivered through WebAuthn (W3C) and CTAP (FIDO).
Overview
Passkeys implement passwordless login using public-key cryptography. Users authenticate with a device-bound credential and local user verification (biometric or PIN), via the WebAuthn API and CTAP protocols.
How it works
- Registration: Site asks for a new credential via WebAuthn; an authenticator creates a key pair and returns a public key + attestation.
- Authentication: Site sends a challenge. Authenticator signs it with the private key after local user verification.
- Device portability: Platform sync or roaming authenticators (security keys) enable use across devices in line with vendor policies.
Common use cases
- Consumer sign-in replacing passwords
- Workforce phishing-resistant MFA
- Step-up auth for high-risk transactions
Strengths and limitations
Strengths: Phishing resistance; no shared secrets; fast UX.
Limitations: Cross-ecosystem portability; attestation policy; account recovery patterns.
Key terms
- WebAuthn: W3C API for creating/using credentials.
- CTAP: FIDO protocol between client and authenticator.
- Attestation: Evidence about the authenticator model/security.