Quiz Entry - updated: 2026.06.24
How does passkey authentication work, and why is "NO shared secret" its biggest advantage?
The device holds a private key and signs a server challenge with it; the server verifies with the stored public key — it never knows any secret, so there's nothing to steal or phish.
The passkey flow:
- User requests login; the server sends a random Authentication Challenge.
- The user unlocks the private key locally (fingerprint / Face ID / PIN).
- The device signs the challenge with the private key.
- The server verifies the signature with the user's public key → login complete.
The private key never leaves the device; the server stores only the public key, which is useless to an attacker.
Why this beats passwords:
- No shared secret — a server breach exposes only public keys (no value).
- Phishing-resistant — the credential is bound to the real site's origin, so a fake site can't get a usable response.
- Nothing reusable is transmitted — only a one-time signature over a fresh challenge.
Tip: Passkeys are the same public/private-key idea as a digital signature, applied to login: the server sends a challenge, you sign it with your private key, the server verifies with your public key. "Prove you have the private key, without ever revealing it."