Skip to main content

GLOSSARY · Identity & MFA

Passkeys WebAuthn

Phish-resistant authentication that replaces passwords with cryptographic key pairs stored on your device — Face ID or fingerprint unlocks the local key, the website never sees a shared secret to steal.

Detailed definition

Passkeys are the post-password authentication standard. Built on WebAuthn (FIDO2), they replace the shared-secret model of passwords with public-key cryptography: your device stores a private key locally (unlocked by Face ID, Touch ID, Windows Hello, or a PIN), and the website stores only the matching public key. You can’t be phished because there’s no shared secret to enter into a fake login page — the cryptographic handshake refuses to complete against the wrong domain.

Why passkeys are a category-changer

Passwords have always been broken. Users reuse them, choose weak ones, and reveal them to convincing phishing pages. MFA helped, but SMS and most TOTP methods are still phishable — a real-time relay attack can intercept the code. Push notifications can be approved by mistake or under “MFA fatigue” pressure.

Passkeys close the phishing hole structurally:

  • No shared secret to steal. The private key never leaves your device.
  • Origin-bound. The browser verifies the website’s domain before initiating the handshake. A phishing site at paypa1.com cannot complete a passkey login that was registered for paypal.com.
  • Local biometric unlock. Face ID or fingerprint is on-device — the website doesn’t get your biometric.
  • Sync across devices. Apple, Google, and Microsoft sync passkeys through their respective keychains, so signing in on a new device just works.
  • MFA built in. A passkey is, by itself, multi-factor — something you have (device + private key) plus something you are (biometric) or know (PIN).

Where passkey adoption stands

  • Major platforms — Apple, Google, Microsoft all support passkey storage and sync as of 2024
  • Major sites — Google, Apple ID, Microsoft, GitHub, AWS, Cloudflare, most banks, increasingly Microsoft 365 and Google Workspace tenants
  • SMB readiness — most identity providers (Entra ID, Google Workspace, Okta, Duo) now support passkey enrollment alongside legacy MFA methods

The migration pattern is to start by adding passkeys to existing MFA — enrolled users can use either — then gradually phase out weaker methods (SMS first, then TOTP) as adoption grows. Universal passkey rollout is the right end state for most SMBs in the next 1-2 years.

RELATED TERMS

AUTHORITATIVE SOURCES

External references

Need help applying WebAuthn to your business?

We've done this kind of work across New York. First conversation is free.