Passkeys as Q&A

Passkeys is the one of the hottest topics in the industry. It is supported by Apple, Google and Microsoft to kill passwords.

What are Passkeys?

Passkeys are an extension to the 3 years old W3C standard of Web Authentication API (WebAuthn). In WebAuthn the user is identified by a Public/Private key pair. The private key is on the authenticator and the public key is one the server. In time of authentication, the server sends a challenge to the user, the user verifies his presence to the authenticator who will sign the challenge for the server using the private key. The server will decrypt the encrypted challenge received by the public key stored on the server and if they get the original challenge sent. Then the user is present and can be authenticated.

What are the components of WebAuthn?

WebAuthn depends on three components

1. Server: The backend of the service that wants to register the passkey or to authenticate by the passkey.
2. Browser: Receives the request from the server and asks the user to select an authenticator to use either to generate new keypair or authenticate to the service and send the response back to the server.
3. Authenticator: The device that generates the RSA keypair and provides the public key back to the browser in case of registration or signed challenging in case of authentication.

What are the authenticators?

Authenticator is any device that can generate Public/Private Keypair. They are normally divided in 2 groups.

• Platform Authenticators: These are the devices that reside inside your device. TouchID/FaceID on Apple iPhone, iPad or Macs, Windows Hello in any MS Windows installation, Android SafetyNet. In the method the authenticator verifies the user presence is different on each platform e.g on Windows, it can be Face recognition, Fingerprint, PIN or password, in other words it is anything supported by Windows Hello. On Android it can be PIN, pattern, Face recognition or Fingerprint.

• Roaming Authenticators: These are the ones which are external, and can be used on several devices, they can communicate over USB, Bluetooth and/or NFC. The most popular brand is Yubico and they have Bio series that verifies the user by a fingerprint or PIN number if the fingerprint isn't recognized 3 times consequently.

How are Passkeys different from WebAuthn?

WebAuthn credentials used to primary reside on the device that generated it. e.g. if the key is generated on your Mac, you can't use it on your phone. This added a burden to developers to adopt WebAuthn because it means there shall be a fallback method to authenticate the user if he doesn't use his primary device.

In Passkeys, it is different, the key you generate on an Apple device, will be synced to iCloud keychain encrypted by the passcode, so you can use on any Apple device that your keychain is activated. In Andorid, the private keys are stored encrypted on Google Cloud.

OK, so the key will be synced to the cloud of my device's cloud provider, what if I use iPhone and need to login to the service on Windows PC?

Passkey has thought about this case and what will happen that the browser will ask you use the passkey from another device, and it gives you a QR code, you scan the code by your Phone/tablet and they will communicate over Bluetooth. The phone will confirm your presence and send the results back to the browser to send to the server to log you in.

Why are Passkeys phishing resistant?

Passkeys are phishing-resistant, because the authenticators validate the domain who is requesting to authenticate against the one who registered the keypair. For example if your key is registered for google.com, g00gle.com can't ask you to authenticate. In fact the authenticator will report that no key is available.

How to use Passkeys in my current application?

There are 2 options

1. Integrate a WebAuthn or Passkey library in your app and start managing the user keys with different login scenarios.
2. Delegate this to a Passkey provider like JustPass.me. Their service is OpenID Connect (OIDC) certified as well as FIDO2 certified. You use their service with any language and/or framework using OpenID client, they have Firebase Extension to support Mobile Apps either iOS and/or Andorid. Finally, You can use their service at zero cost up to 1,000 users.