Term · 27. Emerging Categories 2024-2026
Passkeys
Passkeys are phishing-resistant login credentials based on the FIDO2/WebAuthn standards that replace passwords with public-key cryptography. The private key stays on the user's device (protected by biometrics or a PIN) and never leaves it, so there is nothing to phish, reuse or leak in a breach. Backed by Apple, Google and Microsoft, passkeys sync across a user's devices and are becoming the default for sign-in.
Definition
FIDO Alliance's consumer-friendly branding of WebAuthn credentials, launched 2022 by Apple, Google, and Microsoft. Cryptographic credential bound to user's device (or synced via iCloud Keychain / Google Password Manager / 1Password) replacing passwords. Phishing-resistant by design — passkey cannot be entered into a lookalike domain. Backed by W3C WebAuthn Level 3 specification.
- Synonyms
-
- FIDO Passkeys
- Synced passkey
- Cross-device authenticator
- Application
- Regulatory: FIDO Alliance — FIDO2 / CTAP2 · W3C — WebAuthn / DID Core
MidPoint: Passkey is a type of strong digital credential.
- Standards & regulations
-
- FIDO
- W3C
- Sources
-
- FIDO Alliance — Passkeys primary source
- WebAuthn Level 3 (W3C) industry commentary
Related terms
-
Authentication (AuthN)
Process of verifying that a principal is who they claim to be. Three classic factors: knowledge (password, PIN), possess …
-
Frictionless Access
User experience principle for IAM systems — granting authorised access with minimal explicit user effort while maintaini …
-
Identity Provider (IdP)
System that authenticates users and issues identity assertions (SAML responses, OIDC ID tokens) to relying parties. Cent …
-
Multi-factor Authentication (MFA)
Authentication requiring two or more independent factors from different categories: knowledge (password), possession (ph …
-
Passwordless Authentication
Authentication without passwords, using phishing-resistant factors: FIDO2 passkeys, hardware tokens, biometric authentic …
-
Singpass (Singapore National Digital Identity) (Singpass)
Singapore's national digital identity platform operated by GovTech, used by citizens and residents for access to 2,000+ …
Frequently asked questions
How are passkeys more secure than passwords?
A passkey uses a private key that never leaves the device and a public key stored by the service. There is no shared secret to phish, guess or steal in a database breach, and each passkey is bound to a specific site, which defeats phishing.
What happens if I lose my device?
Most passkeys sync through the platform's encrypted cloud (Apple iCloud Keychain, Google Password Manager), so they restore to a new device. For workforce use, organizations register backup authenticators or recovery flows to avoid lockout.
Are passkeys the same as MFA?
A passkey combines possession (the device) and inherence or knowledge (biometric or PIN) in one step, so a single passkey already provides multi-factor-grade, phishing-resistant assurance — stronger than a password plus SMS code.