Passkeys Explained: How WebAuthn Replaces Passwords with Public Key Security

Key Takeaways:

• Passkeys are phishing resistant credentials built on public key cryptography that eliminate shared secrets between users and servers.

• A passkey is a discoverable WebAuthn credential created within the FIDO2 authentication framework.

• Web Authentication (WebAuthn) is the browser standard that enables passwordless authentication across browsers, devices, and authenticators.

• Synced and device bound credentials support different operational needs, from convenience to high security control.

• Because servers store only public keys, a database breach does not expose reusable login secrets.

• Beyond login, passkeys can replace typed wallet passwords when signing transactions by securely unlocking the wallet's private key using hardware-protected cryptography.

The Shift from Passwords to Public Key Authentication

Passwords are shared secrets. A user creates one, the server stores a version of it, and login works because both sides know the same secret. That system has weaknesses. People reuse passwords. Attackers trick users into typing them into fake websites. If a database is breached, stolen password hashes can sometimes be cracked or reused elsewhere.

Passwordless authentication replaces this model with public key cryptography. Instead of sharing a secret with a website, a device creates a unique key pair for that specific domain. One key is private and stays on the device. The other key is public and is stored by the website.

This happens in two simple steps.

Registration

When a user sets up login, the device creates a key pair. The public key is sent to the website and stored with the user's account. The website can also choose to check what type of device created the credential.

Authentication

When the user logs in, the website sends a random challenge. The device signs that challenge using the private key. The website verifies the signature using the stored public key.

With passwords, users send a reusable secret. With public key credentials, the server receives proof that the device holds the correct private key. The private key never leaves the device. The fundamental shift is simple: websites no longer need to store secrets that can be stolen and reused.

Passkeys and WebAuthn: Credentials and the Standard

Passkeys and WebAuthn are related, but they are not the same thing.

Web Authentication (WebAuthn) is a browser standard developed by the World Wide Web Consortium as part of the FIDO2 authentication framework. It defines how browsers talk to devices and how websites verify login attempts.

A passkey is a type of WebAuthn credential. It is simply one kind of credential created and used through that standard.

WebAuthn provides the rules and the browser API that enable secure, key-based login. It does not store keys itself. Browsers expose WebAuthn through the navigator.credentials API, which developers use to start registration and login flows.

The credential lives on the device. WebAuthn defines how it is created and checked.

The Four Technical Actors in a WebAuthn Flow

A WebAuthn login involves four parts.

The User

The person trying to log in. They confirm their identity using a fingerprint, face scan, or device PIN.

The User Agent

The browser or operating system. It acts as the middle layer between the website and the device.

The Authenticator

The device that creates and stores the key pair. This could be a phone, laptop security chip, or hardware security key.

The Relying Party

The website or server. It stores the public key and verifies signed login challenges.

The website never sees or stores the private key.

Why This Model Is Phishing Resistant

Phishing works by tricking users into typing passwords into fake websites.

Public key credentials prevent this at the technical level.

Each credential is tied to a specific website domain, known as the relying party identifier, or RP ID. If a user visits a fake website, the domain does not match the one tied to the credential. The device will refuse to sign the login challenge.

Protection does not depend on the user spotting the fake site. The cryptography enforces it.

The End of Shared Secrets

With passwords, websites store hashed versions of secrets. If a database is breached, attackers may try to crack those hashes or reuse them on other services.

With WebAuthn credentials, the website stores only the public key. A public key cannot be used to log in. It can only verify a signature created by the matching private key.

If a database is compromised, attackers gain information that cannot be used to impersonate users. The private key remains on the user's device.

This removes one of the biggest risks in traditional password systems.

Discoverable Credentials and Username Free Login

Discoverable credentials allow the device to remember which credential belongs to which website and account.

When a user visits a site, the browser can show available login options automatically. The user selects the account and confirms with a fingerprint or face scan. No username typing is required.

The login still relies on cryptography, but the experience feels similar to password autofill.

Beyond Login: Using Passkeys for Signing Wallet Transactions

WebAuthn is most commonly associated with login, but the same cryptographic model can also be applied to wallet transaction signing.

In a digital asset wallet, users typically enter a wallet password to unlock an encrypted private key before signing a transaction. Passkeys can replace this typed password. Instead of entering a reusable secret, the user confirms with a device-held credential such as Face ID, Touch ID, or a hardware security key. The passkey securely unlocks the wallet's private key using hardware-protected cryptography, and the private key then signs the blockchain transaction as usual.

This approach improves usability while preserving the existing wallet security model. The passkey acts as a secure unlock mechanism, while the wallet's private key remains the cryptographic signer and never leaves its protected environment.

Synced vs Device Bound Credentials

WebAuthn credentials can be used in different ways.

Synced Credentials

Synced credentials are stored in cloud systems such as iCloud Keychain or Google Password Manager. The private key is created inside secure hardware on the device and then securely synchronized to other devices linked to the account.

This makes it easier to recover access if a device is lost while keeping keys protected on each device.

Device Bound Credentials

Device bound credentials stay on a single device and cannot be exported. Hardware security keys are a common example.

This approach is useful for high security situations where strict key control is required.

Developers should choose the model that fits their security needs and recovery requirements.

Are Passkeys Safe?

Yes, when implemented correctly.

Security no longer depends on memorizing secrets. It relies on cryptography, domain binding, and hardware protected key storage.

Phishing is blocked at the protocol level. Database breaches do not expose reusable login secrets. The main remaining risks involve device loss and account recovery design.

As with any authentication system, recovery paths must be designed carefully. But the core weaknesses of shared secrets are removed.

Architectural Considerations for Developers

Adopting WebAuthn changes how authentication is designed.

Applications must support registration and login flows, store public keys with user accounts, and design recovery methods that do not fall back to weak shared secrets.

Developers should decide whether they need to verify what type of device created a credential, which authenticators to allow, and what backup options are permitted.

These credentials reduce phishing and password reuse risk, but they should be part of a broader identity system that includes proper authorization and session management.

Why BitGo

Secure authentication is foundational to digital asset infrastructure. Institutions that require regulated custody and operational controls can start with BitGo's custody offering overview Crypto Custody Solutions.

BitGo operates under a national trust charter issued by the Office of the Comptroller of the Currency and is a publicly traded company. This structure places its operations under direct regulatory supervision and public market transparency. Authentication controls, including support for hardware based and policy driven access models, are implemented alongside established wallet security models described in Understanding BitGo Wallets and the operational discipline associated with cold storage.

By aligning phishing resistant authentication practices with regulated custody infrastructure, BitGo supports institutions that demand durable, verifiable access controls.

FAQs

What is a passkey in simple terms?

A passkey is a WebAuthn credential that lets you log in using a device-held key pair instead of a password.

How is this different from multi-factor authentication?

Traditional multi-factor authentication adds extra steps to a password. WebAuthn credentials replace the password entirely and use cryptographic proof plus device verification such as biometrics or a PIN.

What happens if a server database is breached?

Only public keys are stored on the server. Public keys cannot be used to log in without the matching private keys stored on devices.

Can these credentials be phished?

They are designed to resist phishing because each credential is tied to a specific website domain. A device will not sign a login challenge for a fake site.

What happens if a device is lost?

Synced credentials can be restored through their ecosystem. Device bound credentials requirebackup authenticators or a recovery plan.