Recommended Terms
The principle is similar to SSH keys.
Original Text
This article was converted by SimpRead; the original URL is liaoxuefeng.com
At its 2022 WWDC conference, Apple announced passwordless login via a feature called Passkey for iOS devices. Apple translated this term as “passkey” and later extended support to macOS. Google and Microsoft subsequently announced Passkey support for Android and Windows systems.
So, what exactly is a passkey? How does it differ from traditional login methods?
Let’s first revisit the most basic login method—password-based login:
┌──── Sign in ─────────────┐
│ │
│ ┌────────────────┐ │
│ │bob@example.com │ │
│ └────────────────┘ │
│ ┌────────────────┐ │
│ │******** │ │
│ └────────────────┘ │
└──────────────────────────┘
Password-based login requires users to set a strong password: weak passwords are easily cracked, while strong ones are hard to remember. Many websites mandate that registered passwords include uppercase and lowercase letters, digits, and special characters—purely adding friction for users.
By contrast, logging in with a Passkey eliminates the need to enter any password; you simply click “Sign in with Passkey” to complete authentication instantly.
But how does this passwordless login actually work—and why is it so magical?
In fact, the core technology behind Passkeys is remarkably simple and straightforward: authentication is achieved using asymmetric-key digital signatures.
┌─────────────────────┐ ┌──────────────────────┐
│ Client │ │ Server │
│ ┌───┬───────────┐ │ signature │ ┌─────┬──────────┐ │
│ │bob│private key│──┼───────────┼─▶│bob │public key│ │
│ └───┴───────────┘ │ │ ├─────┼──────────┤ │
└─────────────────────┘ │ │alice│public key│ │
│ └─────┴──────────┘ │
└──────────────────────┘
During Passkey login, the website stores the user’s public key, while the private key resides securely on the user’s local device (e.g., computer or smartphone). The client signs a challenge using the private key and sends the signature to the server, which verifies the signature against the stored public key—successful verification completes the login.
Because asymmetric encryption currently represents the strongest widely available cryptographic technique, Passkey-based login is, for all practical purposes, unbreakable given today’s computational capabilities—effectively offering 100% security.
Next, let’s explore how to use Passkeys to log into websites. The following demonstration uses macOS and the Safari browser.
Using Passkeys involves two steps: registering the public key and signing in with one-click.
Registering the public key means storing the user’s corresponding public key on the server—a one-time setup. However, how does the server identify the current user before registration? Thus, initial registration still requires traditional login—for example, logging into www.liaoxuefeng.com via OAuth, then navigating to the top-right corner: User → Passkey → Register New Passkey. The browser will prompt whether to save the Passkey to iCloud:
Select Continue. The browser first saves the private key locally, then transmits the public key to the server. You’ll then see the public key bound to your account:
At this point, the Passkey is ready for use.
After signing out, attempt to sign back in using the Passkey option:
Click Sign in with Passkey. The browser displays a dialog asking whether to use the saved Passkey to authenticate with the site:
Select Continue, and login succeeds!
If you’re signed into the same Apple ID on both iPhone and Mac, iCloud automatically synchronizes your Passkey across devices. Therefore, when using the system browser on your iPhone, you can also sign in directly with Passkey:
That’s all there is to Passkey login—simple and seamless!
Advantages
Passkey login offers exceptional security with no feasible attack vectors. Moreover, when Passkeys are stored locally, they are intrinsically bound to the associated website domain—fundamentally preventing phishing attacks. A given Passkey works exclusively for its registered domain and cannot be reused across multiple sites.
Usage Limitations
Since Passkey login relies on asymmetric-key digital signatures, where is the private key stored?
The private key resides within the operating system’s built-in key manager. Browsers interact with the OS through dedicated APIs to perform signing operations—meaning both the OS and browser must natively support Passkeys. Safari—the default macOS browser, developed by Apple—integrates seamlessly with macOS’s native Passkey functionality. In contrast, Chrome currently cannot directly interface with macOS’s Passkey system. Instead, it displays a QR code that can be scanned using an iPhone camera to complete login—an indirect workaround, albeit slightly less convenient. Nevertheless, full direct OS-browser Passkey interoperability across all major browsers is inevitable in the near future.
How to Delete a Passkey
A Passkey can be invalidated either by deleting it from the server (i.e., removing the stored public key) or by deleting it from the local device (i.e., removing the private key).
To delete a Passkey from the server, sign into the website and locate the relevant settings page to remove it. To delete it locally on a Mac, open System Settings → Passwords, right-click the listed website, and select Delete.