Passkeys

Status: Final

Passkeys are discoverable FIDO2 credentials that sync across a user's devices through platform authenticators. They are the consumer and enterprise replacement for passwords — phishing-resistant, no shared secret, no server-side password hash.

---

What a Passkey Is

A passkey is a FIDO2 discoverable credential stored in a platform authenticator's sync fabric:

Platform	Storage	Sync Mechanism
Apple	iCloud Keychain	iCloud sync (E2EE)
Google	Google Password Manager	Google account sync
Microsoft	Windows Hello / Microsoft account	Microsoft cloud
Cross-platform	Third-party managers (1Password, Bitwarden)	Vendor cloud

The private key never leaves the secure enclave; only the synced credential handle travels through the cloud.

---

Security Model vs Passwords

Property	Password	Passkey
Phishable	Yes	No (origin-bound)
Reusable across sites	Yes (credential stuffing)	No (separate key per site)
Server-side breach impact	Password hash leaked	Only public key leaked (useless)
Requires remember/rotate	Yes	No
Recoverable	Only if you know it	From cloud backup

---

Enterprise Passkeys

Microsoft Entra ID supports device-bound passkeys (hardware-based, non-syncable) as a phishing-resistant MFA method for high-assurance scenarios. This is distinct from syncable passkeys — enterprise policy can enforce non-syncable hardware-backed credentials.

---

Attack Considerations

Attack	Passkey Resistance
Real-time phishing proxy (AiTM)	Resistant — signed response is origin-bound
Malware on enrolled device	Vulnerable if malware can invoke the platform authenticator in the user's session
iCloud / Google account compromise	Syncable passkeys can be accessed if sync account is compromised
Social engineering key recovery	Vulnerable to account recovery flows if recovery is weak

---

Cross-Links

Topic	Link
FIDO2 / WebAuthn	fido2-webauthn
Smart Cards	smart-cards
MFA Technologies	mfa-technologies