# How do passkeys work? Passkeys are a replacement for passwords and use biometric authentication, such as a fingerprint scan or facial recognition. --- Cybercriminals are getting more sophisticated every day. Meanwhile, too many people are still protecting their accounts with "Password123." One key area of cybercriminal activity is user account security, which is most often handled with a username/password combination. Combine that with uninformed users, and bad actors have a much easier time. - Easy passwords. - Repeated passwords. - No multi-factor authentication. Each of the above contributes to the problem. Fortunately, there’s a new security tool that is gaining popularity: passkeys. Passkeys are a replacement for passwords and use biometric authentication, such as a fingerprint scan or facial recognition, to help lock down sensitive data with a more secure user verification process. ## What are passkeys? Passkeys are a secure, cryptographic method for authenticating users without passwords, offering better online security, safety, and ease of use. Once set up, passkeys are easier to use than passwords and exponentially more secure because their strength doesn’t depend on the user. More and more websites are adopting this passwordless technology, including many big tech companies such as Google, Amazon, Apple, and Microsoft. Passkeys are a form of passwordless authentication that replaces traditional passwords. They can be used on most operating systems within a password manager and use public key cryptography that has been under development for more than 10 years. The FIDO Alliance was founded in 2013 to shepherd and drive the technology, ensuring universal, open standards, and is supported by a long list of members and sponsors, including Bitwarden. Passkeys use the WebAuthn cryptographic protocols developed by the alliance, hailed as the gold standard in secure authentication. ## How do passkeys work? At their core, passkeys are designed to replace passwords and are quite simple thanks to [public key cryptography. ](https://bitwarden.com/en-gb/resources/passwordless-authentication/) When a user registers for a new account on a website or app (that supports passkeys), they will be asked to create a passkey. When prompted, simply scan the provided QR code with a phone to automatically create the passkey. That passkey consists of two keys: a public key and a private key. The public key is stored on the server, and the private key is stored on the user’s device. Once a user creates the passkey, they’ll be prompted to use it to access that site. All that’s left to do is use [fingerprint or facial biometrics](https://bitwarden.com/en-gb/help/biometrics/) on a phone to log in. To sign in to a passkey-enabled website, the site will send a login challenge — a really large random number — and the user’s secret key will use cryptography to “sign” the challenge with a response to it. The website checks the signature against its public key to verify authenticity. Once confirmed, the website can grant the account access. Because each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters, the [authentication process](https://bitwarden.com/en-gb/resources/are-passkeys-safer-than-passwords/) is significantly more secure. While those two keys differ from each other, they do have a special relationship: one can decrypt messages (private key on a user’s device, which is supported by most operating systems) that have been encrypted by the other (public key on the server). That key pair is used to verify and authenticate the user. Unlike passwords, the key pair consists of a private key, which is kept securely on the device or in a password manager that supports passkeys (also called a passkey provider), and a public key, which is stored on the website a user is logging into. One of the most important things about these key pairs is that the private key is secure and never leaves the operating systems on which they are stored, and the password manager keeps it locked through biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, for example, in the case of a website data breach, and security still would not be compromised so long as the private key remains secure. Here’s a[ popular analogy](https://blog.vrypan.net/2013/08/28/public-key-cryptography-for-non-geeks/) to help understand asymmetric key pairs. The infographic below explains the steps for using a passkey and its key pair to verify a user’s authenticity when logging into a website. Thanks to the public-private key pair, passkeys are far better equipped to prevent phishing attacks and better ensure user privacy. ## Passkeys in Bitwarden [Bitwarden Password Manager](https://bitwarden.com/en-gb/products/personal/) supports creating and storing passkeys, making them easy to manage. Get started today with a free[ account](https://bitwarden.com/en-gb/pricing/business/) or share with your team by[ starting a free business trial](https://bitwarden.com/en-gb/pricing/business/). For developers, Bitwarden[ Passwordless.dev](https://passwordless.dev) provides API frameworks to help you build discoverable FIDO credentials such as passkeys. ## Get powerful, trusted password security now. Pick your plan. ## Personal ### Just getting started? *Get basic password management today. Always free.* [Create Free Account](https://bitwarden.com/go/start-free/) --- ### Premium **$1.65** *per month* *Billed annually at $19.80* Enjoy premium features - Integrated authenticator - File attachments - Emergency access - Phishing blocker - Security reports and more Share vault items with one other user [Create Premium Account](https://bitwarden.com/go/start-premium/) --- ### Families **$3.99** *per month* *Up to 6 users, billed annually at $47.88* Secure your family logins - 6 premium accounts - Unlimited sharing - Unlimited collections - Organisation storage Share vault items between six people [Start Free Families Trial](https://bitwarden.com/go/start-families-trial/) --- Pricing shown in USD and based on an annual subscription. Taxes not included. ## Business ### Teams *For teams and growing companies that need to move quickly.* **$4** *per month / per user, billed annually* **No compromise** All Premium features, plus advanced capabilities such as: - Share credentials securely - Audit activity with event logs - Synchronise your existing directory - Automate provisioning with SCIM [Start Free Trial](https://bitwarden.com/go/start-teams-trial/) --- ### Enterprise *For businesses that need advanced protection and control.* **$6** *per month / per user, billed annually* **Maximum protection** All Premium and Teams features, plus enterprise-level capabilities such as: - Granular access control - Passwordless SSO integration - Easy account recovery - Flexibility to self-host - Access Intelligence risk remediation [new] - Free Families plan for all users [Start Free Trial](https://bitwarden.com/go/start-enterprise-trial/) --- ### Talk to Sales *For large organisations, talk to an expert about a tailored plan and learn how Bitwarden can:* *per month* - Reduce cyber security risk - Boost productivity - Integrate seamlessly Bitwarden scales with businesses of any size to bring password security to your organisation [Talk to Sales](https://bitwarden.com/talk-to-sales) --- Pricing shown in USD and based on an annual subscription. Taxes not included.