BitsFed
Back
Passkeys Are Killing Passwords — Here's How They Work
cybersecurity

Passkeys Are Killing Passwords — Here's How They Work

Passwords are finally dying. Passkeys use public-key cryptography to make phishing impossible. Here's the technical breakdown of how they actually work under the hood.

Thursday, March 26, 20262 min read

You've probably seen the "Sign in with a passkey" prompt popping up on more sites lately. Google, Apple, Microsoft — everyone's pushing passkeys as the password replacement we've been waiting for.

But what's actually happening when you tap your fingerprint instead of typing hunter2?

The Problem with Passwords

Passwords have three fundamental flaws:

  1. They're shared secrets — the server stores your password (or hash), creating a target for breaches
  2. They're phishable — a convincing fake login page captures them trivially
  3. Humans are bad at them — we reuse them, make them weak, and forget them

Passkeys solve all three problems simultaneously.

How Passkeys Work

Passkeys use asymmetric cryptography — the same math behind SSH keys and HTTPS.

When you create a passkey for a website:

  1. Your device generates a key pair — a private key and a public key
  2. The private key stays on your device, protected by biometrics (fingerprint, Face ID)
  3. The public key gets sent to the website's server

When you sign in:

  1. The server sends a random challenge (a nonce)
  2. Your device signs the challenge with your private key (after biometric verification)
  3. The server verifies the signature using your public key

The private key never leaves your device. There's nothing to phish, nothing to breach on the server, nothing to reuse across sites.

Why Phishing Becomes Impossible

Here's the clever part: passkeys are bound to the website's domain.

A passkey created for bank.com will only activate on bank.com. If an attacker makes bánk.com (notice the accent), your passkey simply won't appear as an option. The browser enforces this at the protocol level — no user vigilance required.

The Sync Problem

Early passkeys were device-bound — lose your phone, lose your keys. Now, Apple syncs passkeys via iCloud Keychain, Google via Google Password Manager, and Microsoft via their authenticator.

This is convenient but introduces a new trust model: your cloud provider now holds your passkeys. For most people, this tradeoff makes sense. For high-security scenarios, hardware keys like YubiKeys still offer device-bound passkeys.

Should You Switch?

If a site offers passkeys, use them. They're faster than passwords, immune to phishing, and don't require a password manager. The transition is gradual — passwords aren't going away overnight — but every passkey you create is one less password to worry about.

securitypasskeysauthenticationpasswords