What are passkeys?

Passkeys are a replacement for passwords. A password is something that can be remembered and typed, and a passkey is a secret stored on one’s devices, unlocked with biometrics.

Passkeys are:

Intuitive
Creating and using passkeys is as simple as consenting to save and use them. No having to create a password.

Automatically unique per-service
By design, passkeys are unique per-service. There’s no chance to reuse them.

Breach-resistant
A passkey is only stored on a user’s devices. Relying Party (RP) servers store public keys. Even servers that assist in the syncing of passkeys across a user’s devices never have the ability to view or use the private keys for a user’s passkeys.

Phishing-resistant
Rather than trust being rooted in a human who has to verify they’re signing into the right website or app, browser, and operating systems enforce that passkeys are only ever used for the appropriate service.

The guidance on this site is currently targeted towards sites and services that are using either password only or password + OTP (SMS, app TOTP, app push, magic link) sign in flows. Future guidance will include more advanced and higher assurance scenarios.