Understanding the cryptographic principles behind 패스키 helps appreciate why they are so secure. This article explains the technical foundations of 패스키 인증.
Public Key Cryptography Basics
패스키 are built on public key cryptography, also known as asymmetric cryptography. In this system, two mathematically related keys are generated: a private key that is kept secret and a public key that can be shared freely. Data encrypted with the public key can only be decrypted with the private key, and vice versa.
When you create a 패스키 for a service, your device generates a unique public-private key pair. The public key is sent to the service and stored on their 서버. The private key remains securely stored in your device’s secure enclave or TPM (Trusted Platform Module) and never leaves your device.
The 인증 Process
When you log into a service with a 패스키, the process works as follows. The service sends a challenge (a random string of data) to your device. Your device signs this challenge using your private key, producing a digital signature. The signed challenge is sent back to the service. The service verifies the signature using your stored public key. If the signature is valid, 인증 is successful.
Crucially, your private key never needs to be transmitted over the 네트워크. The service never sees your private key. This is fundamentally different from passwords, where your secret must be transmitted to the 서버 for comparison.
WebAuthn and FIDO2 Standards
패스키 are standardized through the WebAuthn API (Web 인증) developed by the W3C (World Wide Web Consortium) and the FIDO2 specifications from the FIDO Alliance. WebAuthn defines how browsers and web services interact with authenticators (your device’s 패스키 system).
CTAP (Client to Authenticator Protocol) defines how the browser communicates with external authenticators like hardware security keys. Together, these standards ensure that 패스키 work consistently across different platforms and browsers.
Secure Enclave and Hardware Protection
Modern devices protect private keys using dedicated hardware. Apple’s Secure Enclave, Google’s Titan M, and Microsoft’s TPM are isolated processors that handle cryptographic operations separately from the main CPU. Even if the operating system is compromised, private keys stored in these secure enclaves cannot be extracted.
Phishing Resistance Explained
패스키 are phishing-resistant because the WebAuthn protocol includes the origin (website domain) in the cryptographic challenge. A 패스키 created for example.com will not respond to an 인증 request from evil-example.com, because the domain embedded in the cryptographic material does not match.
This is a fundamental security advantage over passwords and even TOTP codes, which can be entered into any website regardless of its domain.
Summary
패스키 leverage decades of cryptographic research to provide 인증 that is both more secure and more usable than passwords. The combination of public key cryptography, hardware security, and domain-bound credentials creates a system resilient against the most common attack vectors.

