Back to Knowledge Hub Passkeys & Authentication

Passkeys &
Authentication

The authentication landscape is shifting from shared secrets to public-key cryptography. Understand how passkeys, WebAuthn, and FIDO2 are redefining secure access, and how decentralized identity complements these frameworks.

From Passwords to Passkeys

Passwords are a broken authentication primitive. They can be phished, leaked, reused, and guessed. Multi-factor authentication mitigates some risks but adds friction and still relies on shared secrets. Passkeys solve this by replacing shared secrets with public-private key pairs. The private key never leaves the user's device; the public key is registered with the service.

Passkeys are built on FIDO2 (WebAuthn + CTAP) standards. When a user creates a passkey, their device generates a key pair. During authentication, the service challenges the device to sign a message with the private key — proving possession without sending secrets over the network. This eliminates phishing, credential theft, and replay attacks entirely.

Platform vs. Roaming Passkeys

Platform Passkeys

Bound to a single platform ecosystem (iCloud Keychain, Google Password Manager, Windows Hello). Synced across devices via the vendor's cloud. Best for consumer use within a single ecosystem.

Roaming (Cross-Platform) Passkeys

Stored on a hardware security key or in a third-party password manager that works across platforms. Can be used on any device with a USB/NFC security key or cross-platform credential manager.

How WebAuthn Works

// Registration
const credential = await navigator.credentials.create({
  publicKey: {
    challenge: new Uint8Array([...]),
    rp: { name: "Example Corp", id: "example.com" },
    user: {
      id: new Uint8Array([...]),
      name: "jane@example.com",
      displayName: "Jane Citizen"
    },
    pubKeyCredParams: [{ type: "public-key", alg: -7 }]
  }
});

// Authentication
const assertion = await navigator.credentials.get({
  publicKey: {
    challenge: new Uint8Array([...]),
    rpId: "example.com",
    allowCredentials: [{
      type: "public-key",
      id: credential.rawId
    }]
  }
});

WebAuthn API calls for passkey registration and authentication. The private key never leaves the device.

Passkeys + Verifiable Credentials

Passkeys authenticate the device/user to a service. Verifiable Credentials communicate attributes about the user. Together, they form a complete authentication and authorization stack:

→ Authentication: Passkey proves "I am in control of this private key."
→ Authorization: Verifiable Credential proves "I am entitled to this access" (e.g., over 18, employee, citizen).
→ This separation enables privacy-preserving access control — the service knows the device is authorized without learning the user's identity.