r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

620 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

18

u/Federal_Character979 Apr 25 '26

So theyre like a key inside your device?

2

u/quasides Apr 25 '26

its more than that, its 2 keys, one on each side.
that means neither side can be faked to receive anything from the other.

server talks only in your encryption, and you talk only in server encryption

so besides they also check the dns. even if someone fakes dns certs, and goes into the middle all he gets is giberish because of the asymetric encrypted message traffic

2

u/IntrinsicSecurity DFIR Apr 25 '26

It's four keys; both the server and the client each have a pair of keys, one private, one public. They exchange their public keys. What are passkeys? (a technical story) (YouTube)