Passkeys

Passkeys are a FIDO2/WebAuthn-based credential that replace passwords entirely, using device-stored cryptographic keys synced via iCloud Keychain, Google Password Manager, or similar. When you authenticate, your device creates a cryptographic signature with the private key, which the server verifies with the stored public key. Passkeys are phishing-resistant by design since they are bound to the specific origin URL. They are being adopted by Apple, Google, Microsoft, and major websites as the successor to passwords.

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack