Understanding the cryptographic principles behind passkeys helps appreciate why they are so secure. This article explains the technical foundations of passkey authentication.
Public Key Cryptography Basics
Passkeys are built on public key cryptography, also known as asymmetric cryptography. In this system, two mathematically related keys are generated: a private key that is kept secret and a public key that can be shared freely. Data encrypted with the public key can only be decrypted with the private key, and vice versa.
When you create a passkey for a service, your device generates a unique public-private key pair. The public key is sent to the service and stored on their server. The private key remains securely stored in your device’s secure enclave or TPM (Trusted Platform Module) and never leaves your device.
The Authentication Process
When you log into a service with a passkey, the process works as follows. The service sends a challenge (a random string of data) to your device. Your device signs this challenge using your private key, producing a digital signature. The signed challenge is sent back to the service. The service verifies the signature using your stored public key. If the signature is valid, authentication is successful.
Crucially, your private key never needs to be transmitted over the network. The service never sees your private key. This is fundamentally different from passwords, where your secret must be transmitted to the server for comparison.
WebAuthn and FIDO2 Standards
Passkeys are standardized through the WebAuthn API (Web Authentication) developed by the W3C (World Wide Web Consortium) and the FIDO2 specifications from the FIDO Alliance. WebAuthn defines how browsers and web services interact with authenticators (your device’s passkey system).
CTAP (Client to Authenticator Protocol) defines how the browser communicates with external authenticators like hardware security keys. Together, these standards ensure that passkeys work consistently across different platforms and browsers.
Secure Enclave and Hardware Protection
Modern devices protect private keys using dedicated hardware. Apple’s Secure Enclave, Google’s Titan M, and Microsoft’s TPM are isolated processors that handle cryptographic operations separately from the main CPU. Even if the operating system is compromised, private keys stored in these secure enclaves cannot be extracted.
Phishing Resistance Explained
Passkeys are phishing-resistant because the WebAuthn protocol includes the origin (website domain) in the cryptographic challenge. A passkey created for example.com will not respond to an authentication request from evil-example.com, because the domain embedded in the cryptographic material does not match.
This is a fundamental security advantage over passwords and even TOTP codes, which can be entered into any website regardless of its domain.
Summary
Passkeys leverage decades of cryptographic research to provide authentication that is both more secure and more usable than passwords. The combination of public key cryptography, hardware security, and domain-bound credentials creates a system resilient against the most common attack vectors.

