Passkeys

Passkeys replace passwords by using public key cryptography instead of shared secrets. They consist of a key pair (public and private) and are based on the FIDO2/WebAuthn standard. Like other public key systems (PGP, SSH keys, or SSL certificates), the public key is shared while the private key remains secret. 

There are two main types of Passkeys: device-bound and synced. Both types are significantly more secure than passwords and resistant to phishing, but they offer different trade-offs between security and convenience.

Device-Bound Passkeys

With Platform Passkeys, the private key is stored in a Secure Enclave or a Trusted Platform Module (TPM) on your device. The Secure Enclave and TPM are hardware-isolated, preventing even your operating system from directly accessing them. Instead, you use a special authentication API to make calls. There is no direct memory access to these keys unless an exploit is discovered.

Think of a Secure Enclave and Trusted Platform Modules as a little, isolated computer inside your device -- because that's what they are! They have their own processor and operating system, and they are completely isolated from the rest of the device. They only release signatures and never release secrets (and aren't even capable of doing so, under normal cases).

Synced Passkeys

Synced Passkeys store the private key in encrypted form within a password manager or platform keychain (like iCloud Keychain, Google Password Manager, or 1Password). 

These passkeys are designed to be backed up and synchronized across your devices for convenience. While the keys are encrypted during storage and transit, they're not permanently bound to a single hardware chip. 

This makes them more flexible and user-friendly, though they rely on the security of your account and the encryption used by the syncing service rather than hardware isolation.

The Authentication Process:

1. You visit a website and try to login.

2. The server sends a randomized challenge string.

3. Your device's authenticator signs that challenge using the private key.

4. That signature gets sent back to the server.

5. The server verifies the signature using the public key it has on file.

Why Passkeys are better than passwords:

- No shared secrets, so there's nothing on the server that's useful to steal.

- They're phishing resistant, the browser or whatever ensures the origin matches before allowing auth.

- No replay attacks because the server issues a new randomized challenge string every time.

- No cred stuffing because each passkey is unique to the service it's generated for.

FAQs:

Do Passkeys replace Multi-Factor Authentication (MFA)?

Not exactly. Really, Passkeys change what MFA means:

Traditional MFA: Something you know (password), plus something you have (phone/security key), plus something you are (biometrics/PIN). Typically requires multiple steps.

Passkeys: Combine multiple factors into a single authentication act. Something you have (device/authenticator), plus something you are OR something you know (biometric/PIN). This happens in one streamlined step. 

Passkeys are inherently multi-factor, but they feel simpler because the factors are combined into a single step.