Passkeys are a cryptographic public key authentication system, similar to how SSH keys work.
Your password manager stores your passkeys. You must complete a private/public key pair challenge with the website you are trying to authenticate with in order to login using your passkey.
It changes the factor from “something you know” to “something you have”.
Most password managers require biometrics (something you are), or require a master password (something you know). Once this is paired up with a passkey (something you have), it means you are using multi-factor authentication to login, which is much stronger than using just username and password.
No, two factor authentication does not mean it is a passkey.
Email is something you know, but also something you have. You know the username and password to your inbox, but you have access to your inbox if you stay logged in, so this can be either factor. A phone number is something you have, so you can receive text messages with it as a factor. Passkeys are its own technology that fit into the something you have category. Once you have two of these factors combined, thats how you get the 2FA experience.
Can someone explain to me how passkeys are more secure / better than passwords?
Passkeys are a cryptographic public key authentication system, similar to how SSH keys work.
Your password manager stores your passkeys. You must complete a private/public key pair challenge with the website you are trying to authenticate with in order to login using your passkey.
It changes the factor from “something you know” to “something you have”.
Most password managers require biometrics (something you are), or require a master password (something you know). Once this is paired up with a passkey (something you have), it means you are using multi-factor authentication to login, which is much stronger than using just username and password.
Wait does 2FA count as a passkey?
No, two factor authentication does not mean it is a passkey.
Email is something you know, but also something you have. You know the username and password to your inbox, but you have access to your inbox if you stay logged in, so this can be either factor. A phone number is something you have, so you can receive text messages with it as a factor. Passkeys are its own technology that fit into the something you have category. Once you have two of these factors combined, thats how you get the 2FA experience.
Got it, thank you.
A super basic explanation as I understand it.
With a passkey the server (like Google) only has half of the passkey, you have the other half.
So having the server half be made public is still safe, as it’s not useful on its own without the other half that you still have kept private.