Passkeys are a new form of authentication that can be viewed as an evolution of the Two Factor Authentication (2FA) model. They are more secure also more convenient as they remove the need to enter any passwords. Relying on your device and the target service supporting passkey authentication.
Passkeys work by generating a public-private key pair, the public key is stored on the server and the private key is stored on your device. When you want to sign in to a service that supports passkeys, you will use your device biometrics or a PIN/Pattern to authorise the login. This mechanism greatly reduces the risk of phishing and the authorisation cannot be stolen like a 2FA code.
To use Passkeys you first must have a device that supports the technology, below are the supported OS versions by platform.
| Company | Supported Platforms |
| Android 9+, ChromeOS | |
| Apple | iOS 16+, macOS Ventura 13+, watchOS |
| Microsoft | Windows 11 build 22H2 with KB5030310 or higher |
| Linux | Recent builds, check your distro |
Secondly, the site or service you are using must support Passkey authentication, many major services have already implemented support and the standard is growing. You can use the passkeys.directory site below to check if your service supports passkeys.
If your device does not have a biometric security, such as a fingerprint scanner or facial recognition, it is important to ensure good situational awareness, as an attacker can watch for your pattern unlock and authentication pattern. Then steal your device and will have instantaneous access to your accounts, this is an inherent risk of 2FA authentication as well.
Always use biometric security but if your device does not support biometric security, create a device lock pattern that is different from any passkeys you use for other accounts.
