Cassidy Williams

Software Engineer in Chicago

Cassidy's face

How passkeys work

#technical

I’ve been asked a couple times just this week how passkeys work, here’s a little rundown!

What passkeys are and how they work

The “sales pitch” for passkeys is that they’re like a password that you will never know, and can never leak.

They’re fully attached to your device of choice (phone, computer, Yubikey, etc).

When you’re about to log in to a website with a passkey for the first time, your device makes two keys: a public key for the website that’s safe to share, and a private key that never leaves your device.

When you sign in later and it asks for a passkey, it is saying, “prove it that you have that private key!” Your device proves it with Face ID/Touch ID/PIN/however it does it. When that “handshake” happens, you’re logged in.

Passkeys vs. passwords

Passwords are like “I know a secret I can type anywhere I want,” and passkeys are like “I have a device that can vouch for me anywhere.”

You might realize now that you are reliant on your phone or computer if you use passkeys. You need the device with the private key, so if the passkey is on your phone, you need your phone. If your phone with the key is dead, if your laptop with the key isn’t with you, you’re out of luck. Typically you can create more than one passkey per login (so you could have one on your laptop and on your phone for the same website), which is probably a good idea to do.

Why would I use these?

Eh, I personally don’t think you should necessarily. The cryptographic angle makes it seem like a secure choice, but at the cost of needing a specific device.

If you use a password manager… it’s a similar experience for you. Password managers are secure, and you rely on a device with the password manager on it.

There is a good security story for passkeys, in that your device only can use its private key on that website domain, it wouldn’t work on a fake version (so if someone tried a phishing attempt on you making you log into g1thub.com or something, they wouldn’t get your login). Or, if a site gets hacked, attackers can steal the public key, but it’s useless without the private one. That’s pretty good.

So, passkeys don’t really “solve” the user experience problem of needing your personal device to log in somewhere. It’s better than reusing your passwords across multiple places of course, but it’s not automatically better than other “secure” solutions out there (in my opinion).

Go… put your passwords on a post-it or something.

Random post

View posts by tag

#advice #personal #musings #events #recommendation #learning #work #technical #project #meta