API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

Passkeys (WebAuthn)

Overview

Passkeys are phishing-resistant credentials based on the FIDO2/WebAuthn standard that replace passwords with public-key cryptography.A unique key pair is created per site: the private key stays on the user’s device (often secured by biometrics or PIN), while the public key sits with the service. Authentication proves possession of the private key without revealing it, eliminating password reuse, credential stuffing, and most phishing vectors.

Passkeys can sync across trusted device clouds or be stored on hardware keys for portability. In regulated environments, they help satisfy strong customer authentication (e.g., PSD2), align with NIST guidance, and reduce fraud/ATO rates while improving UX. Enterprises typically deploy passkeys alongside device attestation, policy checks, and recovery paths to ensure continuity when devices are lost or replaced.

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Biometric Verification

Authenticate users with facial, fingerprint, and liveness biometrics powered by AI to prevent identity spoofing and fraud.

One Touch KYC

Launch global KYC flows with built-in document OCR, liveness checks, deepfake detection, and AML, all through a single, customizable dashboard.

Database Verification

Instantly verify user information by connecting to trusted databases across jurisdictions for accurate, compliant, and faster onboarding.

Related Terms

WebAuthn

Multi-factor Authentication (MFA)

FIDO Authentication

FAQ

How do passkeys work?

They use asymmetric crypto: your device signs a challenge with a private key bound to that site; the server verifies with the public key. No shared secret means nothing exploitable is transmitted or stored.

Why are passkeys stronger than passwords + OTP?

They’re origin-bound and phishing-resistant, so even perfect phishing pages can’t steal them. OTPs can be SIM-swapped or phished; passkeys can’t be replayed.

How do we roll them out safely?

Support platform authenticators (iOS/Android/Windows/macOS), offer hardware keys for high-risk roles, and provide secure recovery/fallbacks (e.g., re-proofing, backup codes).

Any limitations to plan for?

Cross-platform portability, device loss, and legacy browser/app support. Maintain break-glass flows and monitor adoption/attestation metrics.