Passkeys are like passwords but better. They’re better because they aren’t created insecurely by humans and because they use public key cryptography to create much more secure experiences.
But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully passwordless experiences. These types of credentials are also called discoverable credentials or sometimes resident credentials.
Organizations and users have password problems. If you came to this website, you already know that passwords are typically weak, prone to frustrating security policies, and vulnerable to phishing attacks. Passkeys are the standards-based solution to the password problem that is rolling out to modern browsers and phones.
Understanding the password problem:
According to the 2022 Verizon Data Breach Report, 82% of all breaches are due to compromised accounts.
The cheapest and easiest method for compromising accounts is phishing attacks.
Phishing attacks are easily scaled to include phishing one-time-passwords or push notifications.
Yes, but choosing the right type of passkey is equally important. Are you protecting your users in a broad consumer space or employees internal to your company? Determining the level of authentication assurance required is the first step in choosing the correct passkey for you and your users.
Syncable passkeys: Users with apps on their devices, such as social media, personal productivity tools, streaming apps, and more, may choose to use cloud-synced passkeys that are always available on their devices.
Single device passkeys: The sensitive or confidential nature of the data and the user will typically drive the choice of high-assurance authenticators for storing their passkeys.
Passkeys are an evolving specification, and our current developer guidance helps you take advantage of the latest features available from each platform. Let’s first take a step to understand how passkeys work, what makes them secure, and the benefits of traditional authentication mechanisms.
Passkeys are a form of multi-factor authentication; those factors include something you know, something you have, and something you are.
Something you know: a PIN used to unlock the device.
Something you have: the authenticator, whether that’s a security key or something embedded in a personal device/phone.
Something you are: could include a fingerprint, scan of your face.
Passkeys are an evolving specification, and we will stay up to date with the latest from the platforms. See what devices already support passkeys.
It's easy to think that YubiKeys and Passkeys are the same things but understanding the differences is critical. Since the launch of the YubiKey 5 Series in 2018, YubiKeys could create and store passkeys where the passkey can’t be copied or exported. Storing passkeys on your YubiKey is different than allowing the platform to manage passkeys. Passkeys created and managed by your platform by default will be stored and synchronized with your platform account. The ability to synchronize passkeys with your platform cloud account enables backup and recovery of passkeys, but there are critical security trade-offs when passkeys can be copied.
There has been a lot of information emerging about passkeys. It is important to remember that passkeys are a new industry term to make existing technology standards approachable to users. The Enterprise Strategy Group (ESG) looks at the benefits and challenges of different forms of passkeys and talks about what to look for in a passkey solution. As organizations look to make authentication more efficient and secure, the idea of passwordless authentication has rapidly gained momentum as a solution to prevent phishing attacks. As organizations are evaluating the use of passkeys, it is important to understand the benefits and challenges as different authenticators are considered for storing passkeys.
A security key is a generic term for an external, portable FIDO Authenticator. YubiKeys are examples of security keys.
YubiKey Series 5, YubiKey FIPS Series, Security Key 2, and Security Key NFC all support passkey use cases.
The easiest way to experience the new passkey UI is to try the demo at the top of this page on a supported browser.
Cross-device authentication is a solution that enables two devices to be connected via Bluetooth so that passkeys stored on your mobile device can be used to authenticate. For example, cross-device authentication allows you to authenticate with the passkeys stored on your Android phone if you have a Windows desktop.
The Yubico Authenticator for Desktop and YubiKey Manager CLI tool can manage passkeys stored on YubiKeys with firmware version 5.2 or greater.
Passkeys require support for FIDO passwordless authentication methods. U2F-only keys will not be interoperable with passkey deployments.