As an alternative to passwords, passkeys offer a modern approach for users to sign in to accounts. Passkeys are typically unlocked using biometric methods (such as fingerprints or facial recognition) or a personal identification number (PIN), as a faster and more secure way to verify a user’s identity and proof of possession.
On this page
How passkeys work in cyber security
Using passkeys is like using a set of two different keys to unlock a door, only in this instance the keys (and the door) are digital. When you sign up for a service and create an account, a pair of digital keys is created. One key belongs to you (private key) and the other is held by the service provider (public key). Your key can be stored on a device such as a smartphone, tablet or laptop. It can also be stored on a special hardware token designed to hold keys. Depending on the situation, you may be able to copy your key to multiple devices so you can access the service from them as well.
Your key is used to prove your identity to the service provider when you log in. Your key is unique and only you should have access to it. The service provider uses their key to help confirm that you are who you claim to be. If someone takes your key, then they can use it to impersonate you, which is why your key is stored in a secure location on your device. To use your device, you must unlock it. This is normally done using a PIN or a biometric which is generally easier to use than a password.
Passkey are implemented on top of the web authentication specification, the technical standard that enables passwordless authentication. Web authentication enables secure registration and use of public-key credentials and defines how browsers and websites communicate with authenticators.
Benefits of using passkeys
A passkey is a digital key that is securely stored on your device or computer. It can be unlocked for use by a PIN or biometric, making them more convenient than a traditional password. While passkeys still rely on layered defence, they can reduce phishing attacks because no passwords are transmitted to the service provider. Rather, the keys are used to establish a secure channel.
In addition, the compromise of a public-facing website or application does not inherently result in the compromise of user credentials. In the event of a compromise of a public website or application, a threat actor would only obtain the public key associated with the account. By design, public keys cannot be used to authenticate or gain access without the corresponding private key. However, it is recommended that the key pair be replaced if a compromise is confirmed to safeguard against secondary risks.
Some passkeys are synced, like those stored in password managers, while others are device-bound, such as a YubiKey. In most cases, passkeys can be used to access a single account from multiple trusted user devices. In this instance, separate public/private key pairs are established for each devices.
Overall, passkeys offer enhanced security over traditional authentication methods, such as passwords.
Security considerations for passkeys
While passkeys provide a strong and phishing-resistant authentication mechanism, there are several security considerations that your organization should be aware of. One fundamental security action for passkeys is to ensure the security of private keys.
Your organization should consider the following security factors as it adopts passkeys:
- challenges in accessing support across public websites and applications as they're not yet universal
- usability challenges due to cross-device authentication across different environments, such as mixed operating systems, which can lead to an inconsistent user experience
- lack of capability for older or unsupported devices to support them, as these devices may not be able to securely store private keys
- continuous device protection through regular patching and updates to protect vulnerabilities
- post-quantum security considerations as part of their implementation
As organizations transition to passkeys, it is critical to assess the new risk landscape they introduce. This includes implementation vulnerabilities, evolving threat actor tactics and alternative authentication implications.
Implementation vulnerabilities
Passkeys rely on multiple cryptographic and authentication components. As with any security control, improper design, configuration or implementation may introduce vulnerabilities. While beyond the user's control, the overall security of passkeys is dependent on the correct implementation, secure integration, and ongoing maintenance of the underlying algorithms and technologies.
Each authentication request contains:
- data signed by a private key
- flags for "user presence" and "user verification"
- an incrementing signature counter to prevent the cloning of authenticators
It is crucial that relying parties (namely website and application owners) perform checks to verify the presence of these components using the associated management software.
Relying parties cannot easily distinguish between a passkey stored on a trusted platform module (device-bound) versus one stored in a personal cloud account. If a cloud account has weak security or a weak authentication method itself, the passkey can be more easily obtained.
Evolving threat actor tactics
As the use of passkeys becomes widespread, threat actors are evolving their tactics. Some of the main tactics threat actors use, particularly to steal passkeys, include:
- exploiting implementation vulnerabilities
- hijacking sessions, an attack where threat actors take over a user's online session after they've authenticated their credentials
- using malware to "silently" trigger the web authentication API if the user is not actively verifying the authentication request
- developing methods to bypass passwordless authentication systems
- conducting cross-site request forgery, an attack that tricks the victim's browser into authenticating or registering on the attacker's behalf
Alternative log in options
While the option to use passkeys is becoming widely supported, many systems retain passwords or other legacy authentication methods. Passkeys allow you to safely and quickly log in, but if a passkey fails, a user (or threat actor) can resort to passwords or other authentication factors as an alternate log in. The continued availability of alternative authentication methods poses a residual risk as these methods are more susceptible to compromise and can reduce your overall security posture.
In the absence of passkeys, we recommend that you and your organization use multi-factor authentication (MFA) where possible to protect high-value business services and data from threat actors. MFA requires a user to provide two or more different authentication factors to verify their identity during a login process. These authentication factors can be a combination of:
- something the user knows (for example, a password or PIN)
- something the user has (for example, a smart card or a security key)
- something the user is (biometric features such as a fingerprint or face scan)
While not foolproof, MFA substantially enhances security by increasing the level of effort required by threat actors.
Learn more
- Steps for effectively deploying multi-factor authentication (ITSAP.00.105)
- Joint guidance on managing cryptographic keys and secrets
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
- Biometrics (ITSAP.00.019)
- Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)
- Guidance on becoming cryptographically agile (ITSAP.40.018)