What exactly is a "passkey," and how does it relate to WebAuthn and FIDO2?
A passkey is the consumer-friendly name for a FIDO2/WebAuthn credential — a per-account public/private key pair generated and stored by your device, used to log in by signing a challenge instead of typing a password.
"Passkey" is the marketing term Apple, Google, Microsoft and the FIDO Alliance adopted for the credentials that the WebAuthn API creates. Under the hood it is exactly the WebAuthn/FIDO2 mechanism described above:
- The device (or a security key, or a password manager) generates a key pair per account.
- Only the public key is registered with the web service; the private key stays on the device.
- Login works by the service sending a random challenge, the device signing it with the private key, and the service verifying the signature with the stored public key.
Per the c't reporting (mid-2023), passkeys were already usable at services like Adobe, GitHub, Google and Microsoft.
Tip: "Passkey" = the brand; "WebAuthn" = the browser API; "FIDO2" = the underlying standard family. Same technology, three names for three audiences.
Go deeper:
FIDO Alliance: Passkeys — the standards body's own definition of passkeys and how they relate to FIDO2/WebAuthn.