What is a passkey?

Passkeys are like passwords but better. They’re better because they aren’t created insecurely by humans and because they use public key cryptography to create much more secure experiences.

But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully passwordless experiences. These types of credentials are also called discoverable credentials or sometimes resident credentials.

Try the demo

Learn more about passkeys

Why did passkeys need to be created?

Organizations and users have password problems. If you came to this website, you already know that passwords are typically weak, prone to frustrating security policies, and vulnerable to phishing attacks. Passkeys are the standards-based solution to the password problem that is rolling out to modern browsers and phones.

Read more

Understanding the password problem:

  • According to the 2022 Verizon Data Breach Report, 82% of all breaches are due to compromised accounts.

  • The cheapest and easiest method for compromising accounts is phishing attacks.

  • Phishing attacks are easily scaled to include phishing one-time-passwords or push notifications.

Read our blog

Are passkeys right for my business?

Yes, but choosing the right type of passkey is equally important. Are you protecting your users in a broad consumer space or employees internal to your company? Determining the level of authentication assurance required is the first step in choosing the correct passkey for you and your users.

Read more

Syncable passkeys: Users with apps on their devices, such as social media, personal productivity tools, streaming apps, and more, may choose to use cloud-synced passkeys that are always available on their devices.

Single device passkeys: The sensitive or confidential nature of the data and the user will typically drive the choice of high-assurance authenticators for storing their passkeys.

Watch our webinar

How do I include passkeys in my app?

Passkeys are an evolving specification, and our current developer guidance helps you take advantage of the latest features available from each platform. Let’s first take a step to understand how passkeys work, what makes them secure, and the benefits of traditional authentication mechanisms.

Developer resources

How do passkeys work?

Passkeys are a form of multi-factor authentication; those factors include something you know, something you have, and something you are.

  • Something you know: a PIN used to unlock the device.

  • Something you have: the authenticator, whether that’s a security key or something embedded in a personal device/phone.

  • Something you are: could include a fingerprint, scan of your face.

Where can passkeys be used?

Passkeys are an evolving specification, and we will stay up to date with the latest from the platforms. See what devices already support passkeys. 

See what's supported

YubiKeys secure passkeys

It's easy to think that YubiKeys and passkeys are the same things but understanding the differences is critical. Since the launch of the YubiKey 5 Series in 2018, YubiKeys could create and store passkeys where the passkey can’t be copied or exported. Storing passkeys on your YubiKey is different than allowing the platform to manage passkeys. Passkeys created and managed by your platform by default will be stored and synchronized with your platform account. The ability to synchronize passkeys with your platform cloud account enables backup and recovery of passkeys, but there are critical security trade-offs when passkeys can be copied.

What are others saying about passkeys?

There has been a lot of information emerging about passkeys.  It is important to remember that passkeys are a new industry term to make existing technology standards approachable to users. The Enterprise Strategy Group (ESG) looks at the benefits and challenges of different forms of passkeys and talks about what to look for in a passkey solution.  As organizations look to make authentication more efficient and secure, the idea of passwordless authentication has rapidly gained momentum as a solution to prevent phishing attacks. As organizations are evaluating the use of passkeys, it is important to understand the benefits and challenges as different authenticators are considered for storing passkeys.

Read the report

Where can passkeys be used?

Where can passkeys be used comparison table

FAQs

What is a security key?

A security key is a generic term for an external, portable FIDO Authenticator.  YubiKeys are examples of security keys.

Do YubiKeys support passkeys?

YubiKey Series 5, YubiKey FIPS Series, Security Key 2, and Security Key NFC all support passkey use cases.

How do I use my YubiKey with the new passkey UI?

The easiest way to experience the new passkey UI is to try the demo at the top of this page on a supported browser.

What is cross-device or hybrid authentication?

Cross-device authentication is a solution that enables two devices to be connected via Bluetooth so that passkeys stored on your mobile device can be used to authenticate.  For example, cross-device authentication allows you to authenticate with the passkeys stored on your Android phone if you have a Windows desktop.

How do I manage passkeys on my YubiKey?

The Yubico Authenticator for Desktop and YubiKey Manager CLI tool can manage passkeys stored on YubiKeys with firmware version 5.2 or greater.

Does my U2F Key work?

Passkeys require support for FIDO passwordless authentication methods. U2F-only keys will not be interoperable with passkey deployments.

Other resources:

FIDO Alliance

W3C WebAuthn Spec

passkeys.dev

developers.yubico.com

developers.apple.com

developers.google.com

For any feedback, please email: passkeyfeedback@yubico.com