skip to content
luminary.blog
by Oz Akan
vault
Technical Posts

How do Passkeys Work?

Passkeys protect against phishing and brute-force attacks by eliminating the need for users to enter passwords.

/ 8 min read

View more blogs with the tag security
Table of Contents

Text To Speech

Passkeys protect against phishing and brute-force attacks by eliminating the need for users to enter passwords. As more platforms adopt this technology, passkeys are expected to replace passwords for a more seamless and secure user experience.

What is a Passkey?

A passkey is a digital credential that serves as a password replacement for logging into websites and applications. It provides a more secure and seamless authentication method by removing the need for traditional passwords, which can be susceptible to phishing and brute force attacks.

How do passkeys work?

Creation

When you create a passkey, your device generates a pair of cryptographic keys: a public key and a private key. The public key is shared with the online service, while the private key remains securely stored on your device.

Authentication

When you sign in, the service sends a challenge to your device. Your device signs this challenge with the private key, which can only be unlocked using a fingerprint, face scan, or PIN.

Verification

The online service verifies the signed challenge using the public key, confirming your identity without ever seeing or storing your private key.

Passkeys utilize public key cryptography, where a public key is stored on the server, and the private key remains on the user’s device. This system ensures that even if a service is compromised, your passkey remains secure because there is no password or private key stored on the server. Passkeys are unique to each site and device, reducing the risk of widespread account breaches.

Details

User Experience

The user experience of passkeys is designed to be seamless and secure.

Creation

Creating a passkey is typically a straightforward process. When you encounter a website or application that supports passkeys, you’ll usually be prompted to create one during the login or registration process. The exact steps may vary depending on the platform, but generally involve verifying your identity using a biometric method (fingerprint or face scan) or a device PIN.

Authentication

Logging in with a passkey is even easier. Instead of entering a password, you’ll be prompted to authenticate using your device’s biometric authentication or PIN. This eliminates the need to remember and type in a password, making the process faster and more convenient.

What is a challange?

The challenge is essentially a random or unique piece of information generated by the service. It’s like a question that only you can answer correctly because only your device holds the corresponding private key. The service verifies the signed challenge using your public key. If the signature is valid, it confirms that you possess the correct private key and, therefore, are authorized to access the account.

Example

  1. You attempt to log in to your online banking account.
  2. The bank’s server sends a challenge to your device (e.g., your phone). This challenge could be a random string of characters like “Xys7a9zKl2”.
  3. Your device uses your private key (protected by your fingerprint, face scan, or PIN) to create a digital signature of that challenge.
  4. Your device sends the signed challenge back to the bank’s server.
  5. The bank’s server uses your public key (which it already has on file) to verify that the signature is valid and matches the original challenge.
  6. If the signature is correct, the bank confirms your identity and logs you in.

In this example, the challenge ensures that the device attempting to log in actually possesses the correct private key associated with your account. Without the private key, the challenge cannot be signed correctly, and authentication will fail. This prevents unauthorized access, even if someone intercepts the challenge itself.

How does asymmetric encryption work?

Private-Public Key Encryption, also known as asymmetric encryption, uses a pair of keys:

  1. Public Key – Can be shared with anyone. Used for encryption.
  2. Private Key – Must be kept secret. Used for decryption.

This encryption method is widely used in secure communication, digital signatures, and authentication systems.

Steps in Public-Key Encryption

  1. Key Generation

    • A user generates a pair of keys: a public key and a private key.
    • The public key is shared with others, while the private key remains secret.

  2. Encryption

    • When someone wants to send a secure message, they use the recipient’s public key to encrypt the message.

  3. Decryption

    • The recipient uses their private key to decrypt the message and read it.

Passkeys vs Passwords

Passkeys are safer than passwords.

  • Resistance to Phishing: Passkeys are technically bound to the original website for which they were created, so they can’t be used on malicious websites. Passkeys eliminate the need for users to enter their passwords, and even if a user visits a phishing site, their passkey won’t be prompted. This is a significant advantage over passwords, which are vulnerable to phishing attacks, where attackers trick users into giving their login details.
  • Protection Against Brute-Force Attacks: Passkeys have a higher entropy than typical user-chosen passwords and are immune to brute-force attacks.
  • No Shared Secrets: Passkeys do not depend on shared information vulnerable to interception. With passkeys, the service provider only possesses your public key. Losing this doesn’t compromise your account’s safety, as the private key, crucial for access, is securely stored on your device, not with the service provider.
  • Reduced Risk of Password Theft: Passkeys greatly reduce the risk of password theft. Passwords can often be guessed or stolen if there is some data breach.
  • Immunity to Credential Stuffing: Passkeys are more resistant to credential stuffing, where stolen passwords are tried on different websites to gain unauthorized access. Passkeys avoid this risk, keeping your accounts safer.
  • Higher Security: Passkeys are more successful at reducing the risk of phishing than passwords. Passkeys are more resistant to credential stuffing and other remote attacks and generally offer consumers and corporations greater security.

I found some numbers online which I can’t not validate so don’t trust them as they are:

Passkey authentication flow in detail

The passkey authentication workflow involves two main processes: registration and authentication.

Registration (Creating a Passkey)

  1. The user chooses to use passkeys within an application, often in account settings.
  2. The application provides configurations to the client (e.g., browser) to create a new credential.
  3. The client passes these configurations to the authenticator (external like a security key, or platform like Face ID).
  4. The authenticator requests user verification.
  5. The user completes verification (biometrics, etc.) and approves passkey creation.
  6. The authenticator creates a public-private key pair, sends the public key to the client, and securely stores the private key.
  7. The client sends the public key to the application for storage. Passkeys are stored and may be synced across devices.
  8. The user has registered a passkey.

Authentication (Signing In with a Passkey)

  1. The user selects passkeys as the login method.
  2. The application gives the client an authentication challenge.
  3. The client passes the challenge to the authenticator.
  4. The authenticator requests user verification.
  5. The user completes verification (biometrics, PIN, etc.).
  6. The authenticator signs the challenge using the private key and sends the signed challenge to the client.
  7. The client provides the application with the signed challenge.
  8. The application verifies the challenge with the stored public key.
  9. If verified, authentication is successful, and the user is logged in.

Passkey Adoption

Passkeys are expected to replace passwords as more platforms adopt this more secure technology.

What is Signing?

Signing with a private key and validating with a public key is a cornerstone of digital signatures, ensuring the authenticity and integrity of data. Here’s how the process works:

1. Signing with the Private Key:

  • Hashing: The sender (signer) uses a cryptographic hash function to create a unique “digital fingerprint” (hash) of the data. This hash is a fixed-length string of characters that represents the data. Even a minor change to the original data will result in a completely different hash value.
  • Encryption: The sender then uses their private key to encrypt this hash value. This encrypted hash is the digital signature. The private key is kept secret and is known only to the signer.
  • Appending the Signature: The digital signature is then appended to the original data, and both are sent to the recipient.

2. Validating with the Public Key:

  • Decryption: The recipient uses the sender’s public key to decrypt the digital signature, which retrieves the original hash value. The public key is freely available and associated with the sender’s private key.

  • Independent Hashing: The recipient independently calculates the hash of the received data using the same hashing algorithm that the sender used.

  • Comparison: The recipient compares the two hash values: the one they calculated from the received data and the one they decrypted from the digital signature.

  • Verification: If the two hash values match, it confirms that:

    • Authenticity: The data originated from the claimed sender, as only their private key could have created a signature that the corresponding public key can decrypt.
    • Integrity: The data has not been altered in transit, as any changes to the data would result in a different hash value.

  • Invalid Signature: If the hash values don’t match, it indicates that either the data has been tampered with or the signature is invalid.

This process relies on public-key cryptography, where the private key is used to encrypt, and the public key is used to decrypt. The security of this system depends on keeping the private key secret. Digital signatures can be used to sign code releases, container images, security artifacts, and authentication/authorization exchanges. Certificate Authorities (CAs) play a crucial role in managing certificates, which bind the public key to validity and identity information.

One last thing: AI Generated Podcast to Learn the Content

← AWS AI Practitioner Certification Notes
TF-IDF Simplified →