GLOSSARY · Identity & MFA
Passkeys WebAuthn
Phish-resistant authentication that replaces passwords with cryptographic key pairs stored on your device — Face ID or fingerprint unlocks the local key, the website never sees a shared secret to steal.
Detailed definition
Passkeys are the post-password authentication standard. Built on WebAuthn (FIDO2), they replace the shared-secret model of passwords with public-key cryptography: your device stores a private key locally (unlocked by Face ID, Touch ID, Windows Hello, or a PIN), and the website stores only the matching public key. You can’t be phished because there’s no shared secret to enter into a fake login page — the cryptographic handshake refuses to complete against the wrong domain.
Why passkeys are a category-changer
Passwords have always been broken. Users reuse them, choose weak ones, and reveal them to convincing phishing pages. MFA helped, but SMS and most TOTP methods are still phishable — a real-time relay attack can intercept the code. Push notifications can be approved by mistake or under “MFA fatigue” pressure.
Passkeys close the phishing hole structurally:
- No shared secret to steal. The private key never leaves your device.
- Origin-bound. The browser verifies the website’s domain before initiating the handshake. A phishing site at
paypa1.comcannot complete a passkey login that was registered forpaypal.com. - Local biometric unlock. Face ID or fingerprint is on-device — the website doesn’t get your biometric.
- Sync across devices. Apple, Google, and Microsoft sync passkeys through their respective keychains, so signing in on a new device just works.
- MFA built in. A passkey is, by itself, multi-factor — something you have (device + private key) plus something you are (biometric) or know (PIN).
Where passkey adoption stands
- Major platforms — Apple, Google, Microsoft all support passkey storage and sync as of 2024
- Major sites — Google, Apple ID, Microsoft, GitHub, AWS, Cloudflare, most banks, increasingly Microsoft 365 and Google Workspace tenants
- SMB readiness — most identity providers (Entra ID, Google Workspace, Okta, Duo) now support passkey enrollment alongside legacy MFA methods
The migration pattern is to start by adding passkeys to existing MFA — enrolled users can use either — then gradually phase out weaker methods (SMS first, then TOTP) as adoption grows. Universal passkey rollout is the right end state for most SMBs in the next 1-2 years.
HOW WE HELP
Related Bytes Unlimited services
Need help applying WebAuthn to your business?
We've done this kind of work across New York. First conversation is free.