Passkeys: Passwords Are Over
Passkeys are cryptographic key pairs that replace passwords entirely. They are phishing-resistant, never stored on servers in a usable form, and authenticate users with a local gesture rather than a secret they must remember and type. The FIDO Alliance, backed by Apple, Google, and Microsoft, developed the FIDO2 standard that defines how passkeys work.
The WebAuthn Protocol
Web Authentication (WebAuthn) is the browser API that enables passkeys. During registration, the browser generates a key pair in the platform authenticator — a secure enclave in the device's TPM or Secure Enclave chip. The private key never leaves the secure element. The public key, along with attestation data, is sent to the relying party (the website or app).
Because the key is bound to the RP ID (the domain), it cannot be used on a phishing site — even a perfect replica of the login page.
Attestation and PKI
Attestation is how a relying party can verify that a passkey was generated by a specific, trusted authenticator. The attestation statement is a certificate chain rooted at the authenticator's manufacturer, verifiable through the FIDO Metadata Service (MDS). This is PKI applied to hardware: the root of trust is the device manufacturer's root certificate, which anchors trust in all authenticators they produce.
Sync and Multi-Device Passkeys
Modern passkeys can be synced across a user's devices via iCloud Keychain, Google Password Manager, or third-party managers like 1Password and Bitwarden. The private keys are encrypted end-to-end, so the sync provider cannot access them.
End-to-end encrypted sync — the provider never sees your private keys