Passkeys are a being talked about more and more recently, as a way to replace passwords for logging into web sites. They are a significant shift from password-based authentication, offering enhanced security through cryptographic key pairs while addressing common concerns about password storage, recovery, and practical usage.

But I found it confusing to understand what they are, how they work, and how to manage them. Here I'll explain what I found, and link to actual design papers, specifications and authoritative sources. There are many other sources you can read about passkeys: if my explanation is more confusing than helpful, I recommend you check those out, too.

How Passkeys Work

Passkeys are a set of commercially agreed conventions for using public/private key pairs for web service authentication, based on the W3C WebAuthn specification.

A passkey has two parts: a private key stored securely on your computer and a public key stored on the service's servers. The private key stays on your computer — it's stored in dedicated secure hardware like your iPhone's Secure Enclave, ARM TrustZone (Android), or your computer's Trusted Platform Module (TPM) processor. When you authenticate, your computer uses the private key to sign a challenge from the service, which verifies it using its corresponding public key.

Critically, each web service and account has their own unique, cryptographically linked passkeys. To use a passkey, you need the private key (kept in the device), and a way to unlock that key (a PIN/master password, or biometric access). This makes passkeys more secure than passwords, because the secrets are not shared with the consuming web services. It also makes passkeys more easy to use securely, since each is unique, but you have the same multi-factor authentication (something you have, and something you know, or are) for all of them.

Storage and Synchronisation Mechanisms

Passkeys can be stored in two ways: locally on individual computers or synced across computers through cloud services. Major platform providers like Apple (iCloud Keychain), Google (Password Manager), and Microsoft (Authenticator) offer sync capabilities, but the security model is more sophisticated than simple cloud storage.

When sync is enabled, your private keys are encrypted before leaving your computer. The cloud service stores only encrypted versions, with encryption keys derived from your account credentials and computer-specific information that the service provider cannot access. Even if the cloud service is breached, attackers would only obtain encrypted data without the keys needed to decrypt them.

Computer Loss and Recovery

If you lose a computer with synced passkeys, you can still authenticate from other computers signed into the same ecosystem. For non-synced passkeys, most services allow multiple passkeys per account — you can register separate keys on your laptop, phone, and other computers. Each generates its own unique private/public key pair, providing device redundancy without being dependent on a particular cloud ecosystem.

The sync process includes additional security measures. When accessing synced passkeys on a new computer, you typically need to verify possession of an existing trusted computer through PIN or biometric confirmation, creating a multi-factor authentication chain that prevents unauthorized access, even if your computer is stolen.

On trusting the Trusted Module

If you lose a computer with a passkey, you should revoke that key or device. The trusted modules in stolen computers are not impervious to forensic attack by criminals or law enforcement. There have been some documented methods to circumvent the TrustZone in Android devices, or the TPM in PCs, for example. But they are more difficult and expensive to crack than a password.

Similarly, if you expect your computer to be seized for forensic examination, you could try wiping RAM to prevent a cold-boot attack, but there are simple, inexpensive ways to circumvent that, too.

Security Advantages

Passkeys offer several security benefits over passwords. They're phishing-resistant because they're cryptographically bound to specific domains, making them unusable on fake sites.

Each service gets a unique passkey, eliminating password reuse risks.
The keys are cryptographically generated rather than human-memorable, making them unguessable and brute-force resistant
Each authentication creates a unique signature, preventing replay attacks.

Even if a service is breached, attackers only obtain public keys, which are useless without the corresponding private keys on your computers. The security model essentially inherits your computer's protection — an attacker with your stolen phone would need to bypass the lock screen and authentication for each use of the passkey, through biometrics or the computer passcode.

WebAuthn and Passkeys

WebAuthn is the underlying W3C web standard that defines browser-website communication for passwordless authentication. Passkeys are a specific implementation of WebAuthn with additional requirements around user experience, computer sync, and cross-computer authentication flows.

Browsers like Firefox support core WebAuthn functionality, using hardware security keys and platform authenticators, but may not provide the full synced passkey experience offered by Chrome, Safari, or Edge. This means you can still use WebAuthn-based authentication without cloud sync and without one of those browsers — the Firefox browser on each computer creates its own keys, and you can register multiple computers with the same account.

Practical Considerations

Many services allow more than one passkey per account, enabling strategic combinations: perhaps one synced across your primary computers for convenience, one stored locally on a computers' web browser, and one on a hardware security key for backup access. Before disabling the service's password authentication entirely, research the service's account recovery process, backup codes, and alternative verification methods.

The choice between synced and local-only passkeys depends on your priorities.

Synced passkeys offer convenience and automatic availability across computers, but require trust in the cloud provider's encryption implementation.
Local-only passkeys provide explicit control and no cloud dependency, but require manual setup on each computer and careful backup planning.

Ultimately, passkeys are a more secure authentication model than passwords, that ties your account security to your computer security — generally a significant improvement over traditional password practices, especially when combined with thoughtful backup and recovery planning.