Passkeys, built on FIDO2 standards, replace traditional passwords with cryptographic key pairs, offering a secure, passwordless login experience while providing robust protection against phishing, credential theft, and other cyber attacks. They rely on two primary components of the FIDO2 framework: WebAuthn and CTAP. WebAuthn allows for passwordless authentication on websites and applications by using public-private key pairs, while CTAP (Client to Authenticator Protocol) enables communication between authenticators—such as USB keys or biometric devices like Touch ID—and web applications.

Passkeys (FIDO2) deliver phishing-resistant, passwordless authentication that meets NIST Authentication Assurance Level 3 (AAL3), ensuring a high level of security. These passkeys can be stored on a variety of devices or hardware security tokens, including smart cards, USB keys, or NFC-enabled devices, granting users seamless access to federal services and other secure applications. By eliminating the risks associated with password reuse and phishing, passkeys represent a significant advancement in digital security. They are an essential part of the evolving landscape of online authentication, enhancing both user convenience and overall cybersecurity.

The Unifyia platform enables the issuance of passkeys (FIDO2) across various form factors, catering to different devices, user preferences, and security requirements. When choosing a form factor, organizations should consider factors such as usability, portability, security, and recovery options. The supported form factors typically include three main categories: platform authenticators (device bound), cross-platform (roaming) authenticators, and digital wallets.

How do Passkeys (FIDO2) Work?

• Public-private key cryptography: When a user registers for a service using passkeys (FIDO2), the device generates a key pair - a private key that remains securely on the user’s device and a public key that is shared with the service. The private key is never exposed or transmitted, significantly enhancing security.
• Authentication: To log in, the user verifies their identity using biometrics (e.g., fingerprint, facial recognition), a PIN, a pattern, or a hardware token like a security key. The private key then signs an authentication challenge from the service, proving the user’s identity without sharing sensitive information. The service verifies the signed challenge using the stored public key, confirming the user's identity.