Inferensys

Glossary

Passkeys

A FIDO2-based, phishing-resistant credential standard that uses public-key cryptography and biometric device locks to replace passwords, providing a high-assurance deterministic signal for user authentication.
Knowledge engineer constructing knowledge base on laptop, document hierarchy visible, casual office setup.
AUTHENTICATION STANDARD

What is Passkeys?

A FIDO2-based, phishing-resistant credential standard that uses public-key cryptography and biometric device locks to replace passwords, providing a high-assurance deterministic signal for user authentication.

A passkey is a FIDO2 credential that replaces traditional passwords with a cryptographic key pair, where the private key is securely stored on the user's device and unlocked via a biometric sensor or local PIN. This architecture eliminates shared secrets from the server side, making the authentication flow inherently resistant to credential stuffing, phishing, and man-in-the-middle attacks.

During registration, the device generates a unique public-private key pair for the specific relying party, sending only the public key to the server. Subsequent logins require a local user verification gesture, after which the device signs a cryptographic challenge from the server. This provides a high-assurance deterministic signal for identity resolution, as the credential is bound to the device and cannot be replayed or stolen remotely.

PASSKEYS

Core Cryptographic Properties

Passkeys are FIDO2-based credentials that replace passwords with public-key cryptography. Each passkey consists of a private key stored securely on the user's device and a public key registered with the service, enabling phishing-resistant authentication through biometric or device PIN verification.

01

Public-Key Cryptography Foundation

Passkeys operate on asymmetric cryptography, generating a mathematically linked key pair during registration. The private key never leaves the user's device—it remains locked within the secure enclave, TPM, or hardware security module. The public key is sent to the relying party's server and is mathematically useless to an attacker if stolen. During authentication, the server sends a challenge that the device signs with the private key, proving possession without ever transmitting the secret itself. This eliminates the shared-secret problem that makes passwords vulnerable to credential stuffing and database breaches.

2048-bit+
Minimum RSA Key Length
Zero
Shared Secrets Transmitted
02

Phishing Resistance by Origin Binding

Unlike passwords or one-time codes, passkeys are origin-bound. The browser or operating system cryptographically ties each credential to the specific domain (e.g., https://example.com) that created it. If a user is tricked into visiting a lookalike phishing site, the authenticator refuses to release the credential because the origin doesn't match. This provides hardware-enforced protection against man-in-the-middle attacks. The WebAuthn specification mandates that the relying party ID is validated by the authenticator itself, not by JavaScript, making it impossible for malicious scripts to override the origin check.

100%
Phishing Prevention Rate
03

Multi-Device Sync via FIDO Credential Manager

Modern passkey implementations support cross-device synchronization through platform credential managers like Apple's iCloud Keychain, Google Password Manager, and Microsoft's Windows Hello. These systems use end-to-end encryption to sync private keys across a user's device fleet. The sync fabric itself is protected by the user's device passcode or biometric, ensuring that even the platform provider cannot access the plaintext keys. This solves the historical pain point of hardware-bound FIDO keys: losing a device no longer means permanent account lockout. Backup and recovery are built into the operating system's trusted execution environment.

E2EE
Sync Encryption Standard
04

WebAuthn and CTAP2 Protocol Stack

Passkeys are built on two W3C and FIDO Alliance standards: WebAuthn (the browser API) and CTAP2 (Client to Authenticator Protocol). WebAuthn defines how relying parties request and verify assertions. CTAP2 governs communication between the platform and external authenticators like security keys. Key protocol flows include:

  • navigator.credentials.create() for registration, returning a PublicKeyCredential with attestation
  • navigator.credentials.get() for authentication, signing a server-generated challenge
  • Attestation statements that cryptographically prove the authenticator's make and model, enabling enterprise policy enforcement
W3C + FIDO
Governing Standards Bodies
05

Resident Keys and Discoverable Credentials

Passkeys are discoverable credentials (formerly called resident keys), meaning the private key and associated metadata—including the user handle and relying party ID—are stored directly on the authenticator. This enables username-less authentication: the browser presents a list of available passkeys for the current origin, and the user selects their account without typing an identifier. The user handle is encrypted alongside the private key, so no personal information is exposed during credential selection. This contrasts with non-discoverable FIDO credentials that require the server to first supply a list of valid credential IDs.

Username-less
Authentication Flow
06

Hardware-Backed Attestation and Enterprise Controls

Passkeys support attestation, a cryptographic mechanism that proves the authenticator's provenance and security properties. Enterprise deployments can enforce policies requiring:

  • Platform authenticators with verified TPM-backed key storage
  • User verification via biometric or PIN on every assertion
  • Attestation type filtering to block unapproved authenticator models This gives IT administrators deterministic assurance that authentication events originate from managed, hardware-backed devices—a critical signal for zero-trust architectures and compliance frameworks like FedRAMP and SOC 2.
Zero Trust
Architecture Alignment
PASSKEY FUNDAMENTALS

Frequently Asked Questions

Clear, technically precise answers to the most common questions about FIDO2 passkeys, their cryptographic underpinnings, and their role in deterministic identity resolution.

A passkey is a FIDO2-based, phishing-resistant digital credential that uses public-key cryptography to replace passwords entirely. During registration, a user's device generates a unique cryptographic key pair: a private key stored securely in the device's hardware-bound Trusted Platform Module (TPM) or Secure Enclave, and a public key sent to the relying party's server. Authentication requires a local biometric gesture (like a fingerprint or face scan) or a device PIN to unlock the private key, which then signs a cryptographic challenge from the server. The server verifies this signature using the stored public key, completing the login without any shared secret ever leaving the device or traversing the network. This architecture makes passkeys inherently resistant to credential stuffing, server-side database breaches, and man-in-the-middle phishing attacks because the private key is never transmitted and is origin-bound to the specific domain that registered it.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.