User profile for user: Tesserax
Tesserax
User level: Level 10
(154,664 points)

Demystifying Passkeys

by:  Tesserax
Last modified: Mar 3, 2025 7:08 PM
1 102 Last modified Mar 3, 2025 7:08 PM

Introduction

Simply put, Passkeys are currently the future trend in resource access security. Basically they are replacing the need to memorize and use credentials (usernames & passwords.) However, they do tend to cause a bit of confusion for most of us and I hope to clear that up with this user tip.


Passkeys: What are They Exactly?

Passkeys are based on WebAuthn. In turn, WebAuthn (Web Authentication API) is a web standard developed by the FIDO Alliance and W3C that enables secure, passwordless authentication using biometrics, security keys, and other cryptographic credentials. It allows users to sign in to websites and apps without needing traditional passwords, reducing phishing risks and improving security. Websites that you visit, that have enabled WebAuthn, can be accessed with these Passkeys. More and more of them are and why you are being prompted to use them.


How Do They Work?

First-time accessing a WebAuthn-enabled website

  • When the first time you try signing into a website, that supports WebAuthn, you will be prompted if you want to use a Passkey.
  • If you agree, your device (Mac, iPhone, security key, etc.) generates a unique cryptographic key pair which includes a private key & a public key.
  • The private key is stored securely on your device (and/or in the iCloud Keychain, a 1Password Vault, a security key, etc.). On the other hand, the public key is stored on the website’s server.


Each subsequent visit to this same website

  • During the login process, the website sends a challenge to your device.
  • Your device "signs" the challenge with the private key (which never leaves your device).
  • This signed response is sent back to the website for verification using the public key.
  • If it matches, you’re logged in—voila, no passwords required.


Where exactly are these Passkeys stored?

  • If you are using the Apple ecosystem; most likely if you're using an Apple device, they would be stored in the local Keychain/Passwords app.
  • If you are using a third-party password manager, that supports WebAuthn (like 1Password or Dashlane), they are stored in either the respective app's local vault or their Cloud-based vaults.
  • If you use physical security keys, like those provided by Yubico, they are stored on those keys themselves. An example would be for Two Factor Authentication (2FA) with your Apple Account. Apple provides you with the option to use these physical keys as a more secure access method vs. using credentials & SMS-based verification codes which are decidedly less secure.
  • Finally, if you don't use any form of Cloud syncing, Passkeys are stored on your local device. In this case, each device that is not participating with syncing would have to have their own unique Passkey.


Hopefully, this cleared things up a bit and encourage you to take advantage of using Passkeys over passwords.


Ref:

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up