Passkey Frequently Asked Questions
What is a Passkey?
Passkeys are like passwords, but better. They’re better because they aren’t created insecurely by humans, and because they use public key cryptography to create much more secure experiences.
But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully passwordless experiences. These types of credentials are also called discoverable credentials, or sometimes resident credentials.
We like the new term and will use it, because it helps people understand they’re a password replacement with a simple term. “Passkey” is much more understandable by most people than “discoverable WebAuthn/FIDO credential.”
The first public mention of the term passkey to a wide audience was by Apple at a WWDC2021 talk where they introduced a “Passkeys in iCloud Keychain” technology preview to developers.
Passkeys refer only to WebAuthn/FIDO credentials. This does not include the many other keys and protocols, such as PIV, OTP, or OpenPGP Card, that are available in the YubiKey 5 Series.
Is ‘passkey’ the new name for FIDO and WebAuthn credentials?
Passkey is a term that the industry is rallying around for FIDO credentials that can fully replace, rather than only augment, passwords. These are called resident or discoverable credentials in the specs. We think “passkey” is a better term than “discoverable WebAuthn/fido credential,” because it evokes its ability to replace passwords in an accessible way.
Passkeys in YubiKeys have been supported since discoverable credentials were added in the WebAuthn/FIDO standards around 2018. However, it’s important to note that passkeys in YubiKeys are not copyable, meaning the passkey is bound to the YubiKey.
See below question: “How are passkeys different from YubiKeys?” for additional information.
Why is the term passkey in the news a lot recently?
Some Platform/OS vendors started shipping support for fully passwordless experiences using external authenticators like YubiKeys (and also using the security-focused hardware built into their devices, such as TPMs) as early as 2019.
Since early 2023, many Platform/OS vendors and service providers have added support passkeys. Password managers have also added support for storing a using passkeys.
Expect to see a lot more about passkeys from platform vendors such as Apple, Google, and Microsoft, as well as from external authenticator vendors such as Yubico, in the news as the implementations evolve.
How are passkeys different from YubiKeys?
Yubikeys can contain passkeys.
YubiKeys have had the ability to create these passwordless-enabled FIDO2 credentials (passkeys) since the YubiKey 5 Series became available in mid-2018. Currently, YubiKeys can store a maximum of 25 passkeys. We are evaluating increasing this in the future because of the likely increase in fully passwordless experiences across the web that require them.
They’re different because copyable passkeys aren’t stored on dedicated hardware and will be automatically synced using the credentials for the underlying cloud account, whereas passkeys in YubiKeys are bound to the YubiKey’s physical hardware where they can’t be copied.
What terms will Yubico use to talk about passkeys?
We like the term passkey and plan to use it. Because many things are being talked about at the same time, we will try to use terminology consistently to make the differences or similarities clear depending on the situation. This is still a work in progress across the industry, and we will adapt as things change.
The first differentiator between different types of passkeys is whether they can be copied or synchronized. These copyable passkeys are often called “multi-device,” “syncable,” “backup enabled,” “shareable,” or similar terms. We prefer to use “copyable” because it clearly describes what can be done with the credential, but it does not imply any goodness or badness and does not use overloaded or confusing terms.
We prefer to use “device-bound” to describe passkeys that can’t be copied, because it aligns with the terminology the rest of the industry is using to describe passkeys. Device-bound passkeys are tied to a specific device and can’t be copied or synchronized.
Once you know a passkey is device-bound, the next step is describing what kind of device it’s bound to. Some device-bound passkeys are bound to general purpose computing devices like a smartphone, a laptop, or even a desktop computer. A passkey stored on a YubiKey, on the other hand, is device-bound to a portable, purpose-built security device: a security key.
Some of these terms are easily confused with the WebAuthn/FIDO concept of an authentication device’s “attachment”, which can have the values “platform” or “cross-platform.” These terms describe how the authenticator device is attached to the system and provide a way for a web site to tell a browser where to look for a passkey, but they don’t reveal anything about the passkey itself.
What are the security tradeoffs between copyable and device-bound passkeys?
Device-bound passkeys on portable, purpose-built security devices like YubiKeys are the “gold standard” for modern, phishing-resistant authentication and security. They are very easy to reason about and build systems around; no device, no access. However, for consumers registering credentials to many sites, managing multiple authenticators so you have an up-to-date backup can present challenges.
Copyable passkeys can make it easier to recover an account in the event of a lost device (as long as the user can obtain another device that works with the cloud syncing service they used). Using that copyable credential proves that there was access to a device which was logged into the user’s cloud account. This can be a useful additional signal, but it does not provide the same level of security as a device-bound passkey.
How can organizations tell what type of passkeys are used to authenticate to their services?
Security keys like the YubiKey are capable of providing attestation information during registration. Services that process and store attestation information can determine information about the manufacturer, capabilities, and certifications of the security key that created a passkey. This information can help service providers detect counterfeit devices or provide guidance to users about how their passkey is stored. For more detailed information about how to handle attestation, see the Yubico Passkey Workshop’s section on attestation.
What is Yubico’s overall guidance about passkeys?
- We hope that a consumer focused push about passkeys will entice more services to enable support for WebAuthn/FIDO.
- Copyable passkeys offer roughly the same security as “Sign-in with Google/Apple,” plus an additional key sync password.
- Today, banks, enterprises, and those wanting or needing high security do not rely solely on the security of cloud accounts provided by Sign-in with Google/Apple via federated login protocols like SAML, OpenID Connect, or OAuth. Even if copyable passkeys are used to provide that association instead, the security provided will still be insufficient for high security needs.
- The multitude of high security use cases faced by many organizations need more protocols than just FIDO. These organizations need the security guarantees and cryptographic attestations provided by hardware backed credentials to know their systems are safe and to be able to prove it.
- Attestation is also the only way to achieve high confidence that a given credential is device-bound and stored on purpose-built hardware.
- Services should continue to request, store, and use attestation information to make risk decisions based on the type of credential that is used. Our guidance on attestation is provided in more detail on our developer site.
- More use of WebAuthn/FIDO hopefully means that eventually fewer people will use and fewer services will have to deal with creating and securing dangerous username and password-based systems.
We are happy that the standards we co-created and have worked on improving for years are seeing even wider adoption, and we are hopeful that these motions will continue to reduce harm and advance our mission to make the internet safer for all.
For more specific passkey guidance for service providers, see Passkey Best Practices for Service Providers.
Can passkeys replace a password as well as another authentication factor?
Absolutely, yes! Passkeys have been described as a “password replacement”, which is true, but it frequently misses that passkeys can also replace the push notification, MFA code, or SMS notification that are often used to bolster password security.
Passkeys combine two authentication factors. The first is always something you have, which is the passkey itself.
The second may be one of:
- Something you know, which is a PIN, or a device passcode.
- Something you are, measured by a biometric sensor like a fingerprint sensor or FaceID.
The combination of these factors, as well as the phishing-resistant nature of FIDO2/WebAuthn, make passkeys more secure than passwords combined with traditional MFA.