blog.backToBlog
2026-02-02 blog.readTime
The End of Passwords: What Are Passkeys and How Do They Work?
The Problem with Shared Secrets
For 40 years, authentication has relied on a "Shared Secret" (your password). Both you and the server know it. If the server is hacked, your secret is stolen. If you are tricked into giving it away, it's stolen.
Enter Passkeys (FIDO2)
Passkeys rely on Public Key Cryptography. Instead of one shared secret, there are two distinct keys:
- The Private Key: Created and stored securely on your device (in the Secure Enclave). It never leaves your phone or laptop.
- The Public Key: Sent to the website (Google, Amazon, etc.). It is mathematically related to the private key but cannot be used to recreate it.
The Login Flow
- You go to a website and click "Sign in".
- The website sends a mathematical "Challenge" (puzzle).
- Your phone says "FaceID required to sign" and solves the puzzle using the Private Key.
- It sends the solution back. The website verifies it with the Public Key.
The Magic: You never typed a password. The Private Key was never sent over the internet.
Why It's Phish-Proof
Passkeys are bound to the domain. A passkey for google.com will simply refuse to work on go0gle.com or any fake site. Since you can't "type" it, you can't be tricked into giving it away.
What If I Lose My Phone?
Syncing: Companies like Apple (iCloud Keychain) and Google (Password Manager) sync your passkeys across your devices using end-to-end encryption. If you lose your phone, your passkeys are restored from your cloud backup to your new phone.