Passwords are dead. Well — they should be. Over 80% of data breaches start with a compromised password. Passkeys, built on the FIDO2/WebAuthn standard, finally offer a real alternative: logging in with a fingerprint or face, without a single password. In 2024, they’re being adopted by Google, Apple, Microsoft, and major banks. Here’s what you need to know.
What Are Passkeys¶
A passkey is a cryptographic key pair (public + private key) bound to a specific domain. The private key never leaves the user’s device — it’s protected by biometrics (Face ID, Touch ID, Windows Hello) or a PIN. The public key is stored on the server. During login, the server sends a challenge, the device signs it with the private key, and the server verifies the signature with the public key. Done.
No password for an attacker to steal, phish, or brute-force. No password database that could leak. No “forgot my password” forms.
Why Now — What Changed¶
The FIDO2/WebAuthn standard has existed since 2019, but a key ingredient was missing: cross-device key synchronization. The original model (device-bound credentials) meant losing your phone = losing access. In 2022, Apple, Google, and Microsoft announced support for synced passkeys — keys synchronize via iCloud Keychain, Google Password Manager, or Microsoft Account.
By 2024, support is universal: Safari, Chrome, Firefox, Edge. iOS 16+, Android 14+, Windows 11, macOS Sonoma. The ecosystem is ready.
How Passkeys Work Technically¶
Registration: The server generates a challenge and parameters (relying party ID = domain, user info, supported algorithms). The browser calls navigator.credentials.create(). The OS displays a biometric prompt. After verification, a key pair is created and the public key + credential ID are sent to the server.
Authentication: The server sends a challenge and a list of allowed credential IDs. The browser calls navigator.credentials.get(). The OS offers available passkeys for the given domain. The user verifies with biometrics. The device signs the challenge with the private key. The server verifies the signature.
The entire process typically takes 2–3 seconds. No filling out forms, no copying codes from SMS.
Phishing-Resistant by Design¶
Passkeys are bound to the domain (origin). If a user lands on a phishing page fake-bank.com instead of bank.com, the browser simply finds no passkey for that domain. The attack fails automatically, without any decision-making by the user. This is a fundamental difference from passwords and even OTP codes, which can be relayed in real time.
Implementation in a Web Application¶
On the server side, you need a WebAuthn library. In Node.js, that’s @simplewebauthn/server; in Java, java-webauthn-server (Yubico); in Python, py_webauthn. The basic flow:
- Endpoint for generating registration options (challenge, RP info)
- Endpoint for verifying the registration response (storing the public key)
- Endpoint for generating authentication options (challenge)
- Endpoint for verifying the authentication response (signature verification)
On the client side, you just call the WebAuthn API — a few dozen lines of JavaScript. No SDK, no dependencies.
Conditional UI — Passkeys Without a Button¶
New in 2024: conditional mediation. The browser automatically offers a passkey in the autocomplete dropdown directly in the login form. The user doesn’t need to click “Sign in with passkey” — they simply click the offered account in autocomplete. The UX is identical to a password manager, but under the hood, cryptography runs instead of a password.
Enterprise Adoption and Challenges¶
For enterprise environments, the key questions are: device management (what if an employee leaves?), recovery (what if they lose all devices?), and attestation (how to verify the passkey is on a corporate device, not a personal one?).
Solution: a combination of synced passkeys (for regular users) and device-bound passkeys on YubiKey hardware keys (for privileged accounts). Recovery via IT helpdesk with identity verification. Attestation metadata service (FIDO MDS) for verifying the authenticator type.
Migration from Passwords — A Gradual Approach¶
We don’t recommend big bang. The proven approach:
- Offer passkey registration after successful password login
- Promote passkeys in the UI — “Sign in faster without a password”
- After reaching critical mass (60%+), set passkey as the default login method
- Keep passwords as a fallback, but with stricter MFA
Passwords Belong in the Past¶
Passkeys aren’t the future — they’re the present. The ecosystem is ready in 2024, libraries are mature, and the user experience is better than with passwords. Every new application should support passkeys from day one. And existing ones? Start with optional passkey registration. Your users (and your security team) will thank you.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us