# How do passkeys work? Passkeys will eventually replace passwords. They’re stronger, more secure, phishing-resistant, and best of all, easier to use. But how do they work? Read on. *By Ryan Luibrand* *Published: August 1, 2023* --- ## Introduction to passkeys Passkeys are a secure, cryptographic way to authenticate a user without a password, providing better security, safety and ease of use than passwords themselves. More and more websites are adapting this [passwordless technology,](https://bitwarden.com/it-it/passwordless-passkeys/) including many big tech companies. Learn more about passkeys in this detailed blog: [What are Passkeys?](https://bitwarden.com/it-it/blog/what-are-passkeys-and-passkey-login/) ## How passkeys work Passkeys utilize cryptographic technology in development for more than ten years. The [FIDO Alliance](https://fidoalliance.org/) was founded in 2013 to shepherd and drive the technology, ensuring universal, open standards and is supported by a [long list of members and sponsors](https://fidoalliance.org/members/), including Bitwarden. Passkeys leverage the WebAuthn cryptographic protocols developed by the alliance, hailed as the gold standard in secure authentication. ### Passkeys are an asymmetric key pair Each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters. While they differ from each other, they do have a special relationship - one can decrypt messages that have been encrypted by the other. This feature can be used to verify a user and authenticate them. The key pair is made up of a **private key** that’s kept securely on your device, inside a password manager supporting passkeys (also called a passkey provider), and a **public key** that’s stored on the website you are logging into. Your private key is secure and never leaves your device, and the password manager keeps it locked by biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, such as in the case of a website data breach, and your security wouldn't be compromised so long as the private key stays safe. Here’s a [popular analogy](https://blog.vrypan.net/2013/08/28/public-key-cryptography-for-non-geeks/) to help understand asymmetric key pairs, and the infographic below explains the steps of using a passkey and its key pair for determining your authenticity when logging into a website: ![Infographic on how passkeys work](https://bitwarden.com/assets/mZyS8kAtmt1IUG5i5IBkU/a4b937bf8a8ec6cbf3250ec89456afda/Infographic-how-passkeys-work-Bitwarden.png) To sign into a passkey-enabled website, that site will send a login challenge - a really large random number - and then your **secret key** will use cryptography to “sign” the challenge with a response to the number. The website checks that signature with its **public key** to verify that the signature is authentic. Once confirmed, the website can confidently grant access to your account. ## Passkeys in Bitwarden Bitwarden supports creating and storing passkeys in the [Bitwarden Password Manager](https://bitwarden.com/it-it/products/personal/) today. Learn more in [Blog: Bitwarden launches passkey management](https://bitwarden.com/it-it/blog/bitwarden-launches-passkey-management/). If you’d like to get started today, [set up a free account](https://bitwarden.com/it-it/pricing/), or share with your team by [starting a free business trial](https://bitwarden.com/it-it/pricing/business/). For developers, Bitwarden [Passwordless.dev](https://bitwarden.com/it-it/products/passwordless/) provides API frameworks to help you build discoverable FIDO credentials such as passkeys.