How Passkeys Work

FIDO authentication uses standard public key cryptography techniques to provide phishing-resistant authentication. During registration with an online service, the user’s client device creates a new cryptographic key pair that is bound to the web service domain. The device retains the private key and registers the public key with the online service. These cryptographic key pairs, called passkeys, are unique to every online service. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets.

How Authentication Works with FIDO

With FIDO, the user’s device must prove possession of the private key by signing a challenge for sign-in to be completed. This can only occur once the user verifies the sign-in locally on their device, via quick and easy entry of a biometric, local PIN or touch of a FIDO security key. Sign-in is completed via a challenge-response from the user device and the online service; the service does not see or ever store the private key.

FIDO is designed from the ground up to protect user privacy and prevent phishing. Every passkey is unique and bound to the online service domain. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

Enrollment and Sign-in with FIDO

Enrolling a Passkey with an Online Service

• User is prompted to create a passkey
• User verifies the passkey creation via local authentication method such as biometrics, local PIN or touching their FIDO security key
• User’s device creates a new public/private key pair (passkey) unique for the local device, online service and user’s account.
• Public key is sent to the online service and associated with the user’s account. Any information about the local authentication method (such as biometric measurements or templates) never leave the local device.

Using a Passkey for Subsequent Sign-in

• User is prompted to sign in with a passkey
• User verifies the sign in with passkey via local authentication method such as biometrics, local PIN or touching their FIDO security key
• Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
• Client device sends the signed challenge back to the service, which verifies it with the stored public key and signs-in the user

What is FIDO?

FIDO Authentication is the answer to the global password problem

Passwords, and other forms of legacy authentication such as SMS OTPs, are knowledge-based, a hassle to remember, and are easy to phish, harvest and replay.

80%

Passwords are the root cause of over 80% of data breaches.

90%

Users have more than 90 online accounts.

$70

Average help desk labor cost for a single password reset is $70

51%

Up to 51% of passwords are reused.

FIDO Authentication, developed by the FIDO Alliance, is a global authentication standard based on public key cryptography.

FIDO Authentication provides a simpler user experience with phishing-resistant security

With FIDO Authentication, users sign in with phishing resistant credentials, called passkeys. Passkeys can be synced across devices or bound to a platform or security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.

Passkeys are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.

FIDO allows users to simply sign in with passkeys across their devices with a biometric or a security key