How do passkeys work?

Passkeys are a secure, cryptographic way to authenticate a user without a password, providing better security, safety and ease of use than passwords themselves. More and more websites are adapting this passwordless technology, including many big tech companies. Learn more about passkeys in this detailed blog: What are Passkeys?

Passkeys utilize cryptographic technology in development for more than ten years. The FIDO Alliance was founded in 2013 to shepherd and drive the technology, ensuring universal, open standards and is supported by a long list of members and sponsors, including Bitwarden. Passkeys leverage the WebAuthn cryptographic protocols developed by the alliance, hailed as the gold standard in secure authentication.

Each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters. While they differ from each other, they do have a special relationship - one can decrypt messages that have been encrypted by the other. This feature can be used to verify a user and authenticate them.

The key pair is made up of a private key that’s kept securely on your device, inside a password manager supporting passkeys (also called a passkey provider), and a public key that’s stored on the website you are logging into. Your private key is secure and never leaves your device, and the password manager keeps it locked by biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, such as in the case of a website data breach, and your security wouldn't be compromised so long as the private key stays safe.

Here’s a popular analogy to help understand asymmetric key pairs, and the infographic below explains the steps of using a passkey and its key pair for determining your authenticity when logging into a website:

To sign into a passkey-enabled website, that site will send a login challenge - a really large random number - and then your secret key will use cryptography to “sign” the challenge with a response to the number. The website checks that signature with its public key to verify that the signature is authentic. Once confirmed, the website can confidently grant access to your account.

Bitwarden supports creating and storing passkeys in the Bitwarden Password Manager today. Learn more in Blog: Bitwarden launches passkey management.

If you’d like to get started today, set up a free account, or share with your team by starting a free business trial. For developers, Bitwarden Passwordless.dev provides API frameworks to help you build discoverable FIDO credentials such as passkeys.