LOGBOOK

HELP

Quiz Entry - updated: 2026.06.24

How does passkey authentication work, and why is "NO shared secret" its biggest advantage?

The device holds a private key and signs a server challenge with it; the server verifies with the stored public key — it never knows any secret, so there's nothing to steal or phish.

The passkey flow:

  1. User requests login; the server sends a random Authentication Challenge.
  2. The user unlocks the private key locally (fingerprint / Face ID / PIN).
  3. The device signs the challenge with the private key.
  4. The server verifies the signature with the user's public key → login complete.

The private key never leaves the device; the server stores only the public key, which is useless to an attacker.

Why this beats passwords:

  • No shared secret — a server breach exposes only public keys (no value).
  • Phishing-resistant — the credential is bound to the real site's origin, so a fake site can't get a usable response.
  • Nothing reusable is transmitted — only a one-time signature over a fresh challenge.

Tip: Passkeys are the same public/private-key idea as a digital signature, applied to login: the server sends a challenge, you sign it with your private key, the server verifies with your public key. "Prove you have the private key, without ever revealing it."

From Quiz: ISF / Integrity & Content Authenticity (C2PA) | Updated: Jun 24, 2026