Despite their growing adoption, Passkeys remain a mystery to many. In this article, we aim to answer some of the most common questions we receive. The answers are as objective as possible, outlining both the strengths and weaknesses of this technology.

How Do Passkeys Resist Phishing?

Unlike a password, a Passkey’s value is not chosen by the user. It is a random value generated by an underlying security mechanism (Yubikey, Apple Passwords, Windows Hello, etc.) and tied to a specific domain. While the human eye can be tricked by similar URLs, it’s impossible to fool a computer in the same way.

I Don’t Want to Collect Biometric Data…

One of the strengths of Passkeys is that fingerprint or facial recognition can be easily used as an authentication factor. Given the sensitivity of this type of data and the restrictions imposed by laws like Law 25, it’s natural to be cautious. However, it’s important to understand that biometric data is never shared with the website you’re trying to access! It’s the underlying mechanism (like Apple Passwords or Windows Hello) that uses biometrics to use the Passkey.

Why Is It More Secure Than a Password?

Passwords have two main weaknesses: they are limited by human memory and must be shared with the site the user wants to access. These weaknesses open the door to various attacks such as credential stuffing, brute-forcing, or just poor implementation by developers.

Passkeys solve both problems. First, the Passkey value isn’t chosen by the user and is theoretically impossible to guess with modern tech. Second, by using asymmetric cryptography, no sensitive value ever needs to be shared with the website! This difference is critical: even if you don’t trust a site’s developers, you can safely share the public part of your Passkey.

Is It Easy to Add Passkeys to My Site?

No, implementing a Passkey mechanism yourself is relatively complex. The specifications are full of nuances, and building a quality user experience is no small feat. Luckily, most authentication platforms (like Auth0, AWS Cognito) offer easy integration. If you still want to go ahead with a custom implementation, the Tour of WebAuthn is highly recommended reading.

Do Passkeys Only Work for the Web?

No, iOS and Android have APIs that allow Passkeys to be used in native mobile apps. This enables a seamless experience where a user who registers on a website can later log in on the mobile app.

Why Is Passkey Adoption Limited?

Aside from the implementation complexity, the main limitation is syncing Passkeys across the user’s devices. When syncing is available, the experience is amazing! But when it’s not, Passkeys can be quite frustrating.

For instance, I love signing up on a site using Touch ID on my Mac and later accessing it with Face ID on my iPhone. However, if I use a Windows laptop and an iPhone, native sync isn’t possible. Access created on my laptop won’t work on my phone.

What Is the Real Security Impact?

A system’s security is only as strong as its weakest link.

As mentioned earlier, the weakness of Passkeys lies in the need for a unified ecosystem to fully benefit from them. This reality requires a recovery mechanism in case a Passkey is lost — and this is the weak link! No matter how secure Passkeys are, make sure an attacker can’t exploit this recovery process.

Conclusion

To keep this article accessible, we voluntarily omitted some of the more technically complex topics. If you have questions about hybrid protocols, resident keys, attestations, or anything else, feel free to reach out 🙂