After a long delay, we’re finally publishing a post on passkeys. This is probably the #1 topic requested by the Secrets of Privacy community, so we expect it will be a popular one.

Full disclosure up front - most of this post is for paid subs only. You can sign up for a free, cancel any time trial to read the whole post. You’ll also get access to browse the archives during that period. A paid sub is only around .23 cents per day.

Get 60 day free trial

Let’s kick things off with a brief history of passkeys.

Passkeys came on the scene around 2022. They are a new approach to digital authentication designed to replace traditional passwords. Instead of typing in a password, you simply use your device's built-in security features - like your fingerprint or face scan - to log in to websites and apps. Typically the “device” is a mobile phone, but it can also be a hardware key like a Yubico key. Behind the scenes, passkeys use sophisticated cryptography to create unique digital keys for each of your accounts.

Major technology companies including Apple, Google, and Microsoft are aggressively promoting passkeys as the future of authentication. Their pitch is compelling: passkeys are more secure than passwords, impossible to forget, and resistant to phishing attacks.

Companies report impressive results after implementing passkeys- PayPal saw a 70% reduction in account takeovers after implementing passkey tech (source), while other organizations report login success rates exceeding those of traditional passwords (63% versus 14% – source). Passkeys seems to have solved the privacy-convenience problem since they are both convenient and (mostly) privacy-friendly.

Here’s a video from Google about passkeys:

How Do Passkeys Work?

Passkeys are a passwordless authentication method based on public key cryptography. Our primary audience is non-techies, so think of it like a high-tech lock and key system - the website has the lock (public key), and only your device has the matching key (private key). When you create a passkey for an account, two cryptographic keys are generated:

• Private Key: Stored securely on your device and never shared.

• Public Key: Stored on the server of the service you're accessing.

During login, the server sends a challenge to your device. Your device signs this challenge with the private key and sends it back. The server verifies the signature using the public key. If valid, you’re logged in—no password required.

Passkeys leverage your device’s built-in security features like biometrics (fingerprint or facial recognition) or PINs for user verification. They eliminate the need to remember or enter passwords, making them resistant to phishing attacks and credential theft.

Why Big Tech Loves Passkeys

Even if you didn’t know what passkeys were, you’ve probably seen the term. Big Tech is putting on a full court press to promote passkeys. They’ve positioned passkeys as the future of authentication. Here are several of their reasons: