A short update from me on a topic I had to explore recently. Not an exhaustive guide but an introduction to a topic that is becoming ubiquitous. Passkeys aim to close the chapter on passwords, replacing them with a cryptographic system that is simpler for users and safer for everyone.

What Is a Passkey

A passkey is a cryptographic key pair that replaces a password. The private key stays securely on your device, while the public key is stored by the service you register with. When you log in, the service sends a random challenge that your device signs using the private key.

The signature is verified using the public key, and access is granted only if the signature is valid. The private key never leaves your device and cannot be shared across sites. This removes the two classic risks of credential theft and phishing.

Passkeys are part of the FIDO2 and WebAuthn standards, and are supported across all major ecosystems including Apple, Google, and Microsoft.

The WebAuthn Foundation

At the core of passkeys is WebAuthn, the Web Authentication API. It defines how browsers, authenticators, and servers communicate to register and use credentials.

A WebAuthn flow consists of two main parts:

Registration

• The authenticator (your phone, laptop, or hardware key) generates a new key pair.

• The public key is returned to the service and stored.

• The private key remains secured on the authenticator.

Authentication

• The service sends a unique challenge to the client.

• The authenticator signs the challenge with the private key.

• The server verifies the signature using the stored public key.

Each credential is scoped to a specific origin, meaning that a key created for example.com cannot be used on fake-example.com. This property makes phishing nearly impossible.

WebAuthn supports two types of authenticators:

Platform authenticators, built into a device (like Touch ID or Windows Hello).

Roaming authenticators, external devices like YubiKeys that can be used across machines.

The browser acts as the interface between your application and these authenticators. In JavaScript, the process is straightforward:

// Registration
const credential = await navigator.credentials.create({
  publicKey: publicKeyCreationOptions
});


// Authentication
const assertion = await navigator.credentials.get({
  publicKey: publicKeyRequestOptions
});

The browser and operating system handle the cryptography and user verification. Your backend only needs to store public keys and verify signatures, which can be done through existing libraries for Java, Node.js, Go, and others.

Implementation in Practice

To integrate passkeys in your app:

• Use WebAuthn on the client side for registration and authentication.

• Generate and store challenges securely server-side.

• Validate signatures using a WebAuthn or FIDO2 library.

• Update your login flow to support both passwords and passkeys during the transition.

Mobile and desktop platforms provide equivalent APIs through AuthenticationServices (iOS) and Credential Manager (Android).

Why It Matters

• Phishing resistance: Credentials are domain-bound and cannot be replayed.

• No password reuse: Each service has its own key pair.

• Hardware-backed security: Private keys live inside secure enclaves or TPMs.

• Faster user experience: Logins are completed with biometrics or device unlock.

Integration with Password Managers

Modern password managers such as 1Password, Bitwarden, iCloud Keychain, and Google Password Manager now support passkeys. They act as roaming authenticators, synchronizing passkeys across devices while keeping private keys encrypted.

This approach combines strong cryptography with usability. Users can log in from new devices without manually exporting keys, while developers avoid dealing with device-specific storage concerns.

Passkeys are not an experimental idea. They are live across browsers and platforms today. For developers, supporting them is mostly a matter of implementing WebAuthn and preparing authentication flows that work without passwords.

We have spent decades patching around passwords with multi-factor authentication, password complexity rules, and breach monitoring. Passkeys move the conversation forward by removing the weakest component altogether. They are not just a security upgrade — they are the logical endpoint of password evolution.

Articles I enjoyed this week

• Engineering Leader’s Guide: How to Become a Great Coach and Mentor by Engineering Leadership

• 4 Resources You Should Read to Get Better at Agentic Coding by The Growing Engineer

If you want to explore the underbelly of IT and follow the journey of a senior engineer and architect, subscribe to this newsletter and follow me on X.

If you find this content useful, feel free to support me with a coffee