Secure User Authentication with Passkeys

Passwords are a pain. We all know it. They're hard to remember, easy to steal, and a constant source of frustration.

But what if there was a better way to log in to your accounts? Enter passkeys.

Passkeys are a new form of user authentication available for both iOS and Android, that aim to replace traditional passwords. They represent a shift towards a more secure and user-friendly method of online authentication. They leverage powerful cryptographic techniques and your device's biometric security (like finger print or facial recognition) to keep your accounts safe.

Let’s find out how these passkeys work exactly and we’ll be using the iOS example today on how these passkeys can be used by your users.

How Passkeys Work

Passkeys are based on public key cryptography, which matches a private key saved on a device with a public key sent to a web server.

When someone signs in to an account, their private key is verified by your app or website’s public key. That private key never leaves the device, so apps and websites never have access to it.

That means that your information is safe in a hacking or phishing attempt. There’s nothing secret about the public key; it offers no access to anything until paired with the private key.

Since passkeys do not involve remembering a string of characters and are not transmitted over the internet during authentication, they are considered significantly more secure against common threats like phishing attacks or data breaches.

How To Setup Passkeys on iOS User Side

If the app the user is trying to sign into supports passkeys, they’ll get a prompt introduced by the developer for a passkey registration when reaching the login screen or tapping on the username field (alternatively this can be also set up from System Settings), then a modal will pop-up for biometrics check.

Let’s imagine you want to create a passkey for PayPal.

The passkey is automatically generated and stored in the iCloud Keychain, making it available across all the user’s devices, for native apps and on web.

Then, on the user’s next login attempt, the modal for using the passkey will automatically prompt the user to login via an existing passkey (a list of passkeys will be prompted in screen 1 if the user has multiple passkeys for different accounts set up).

After selecting the passkey and passing through the biometrics check, the user is automatically logged into their account.

Passkeys are stored locally on your device. If you need to log in from a different iOS device with a different Apple ID or a different operating system altogether, you can transfer the passkey securely, often through a Bluetooth connection or a similar method.

Passkey Sharing

There are a few different methods how the passkey can be shared across devices.

1. Login with a Passkey From Another Device

When wanting to sign into an application using passkeys, but the passkey for the account you wish to use is on another device, sign in is possible via QR scanning.

Let’s take the example of PayPal again. First, you’d need to try logging into Paypal on web. The app will provide you with a QR code to scan using the device that possesses the passkey.

After scanning, a prompt will pop-up on the second device. After the check on device #2, you will be automatically logged in into device #1 (web).

This method, however, provides a safe one-time only login.

2. Passkey Sharing via AirDrop

If the user wants to actually share their passkey, that is possible as well. In order to do this, you should follow these steps: System Settings -> Passwords -> Search for the app or website afferent to the passkey you want to share -> Share via AirDrop.

Since it may introduce security risks, AirDropping passkeys is automatically declined, as you can see in the second screen, unless the following condition is met.

The person you are sharing the passkey with must be in your contact list with the email address used for iCloud and vice-versa (you must be in the other person’s contact list with the email address used for iCloud). Otherwise, the AirDrop of your passkey will be declined.

3. Share Passkeys via a Shared Group

Another way to effectively share passwords between workplace colleagues, family members or trusted contacts is via a Shared Group. All members of the group can add passkeys.

Using your iOS device, go to System Settings -> Passwords -> Share Passwords and Passkeys -> Get Started.

The next step is to add people to the shared group, ensuring once again they are in your contacts. After naming and creating the group, choose which passkeys to share and decide whether or not to notify the group members.

Afterward, you can manage your group and shared passkeys by going to “Passwords” in your system settings (add and remove members or passkeys).

Note: To be able to add people, they must be saved as a contact and be using a device with iOS 17, iPadOS 17 or macOS Sonoma (or newer).

Also, your shared passkeys are saved in the iCloud Keychain. You can use them like any other passkey. However, if you move a passkey to a shared group, you can only access that password on devices running iOS 17, iPadOS 17 or macOS (or later).

What Now?

All in all, passkeys are a fantastic new feature to consider including in any product. They offer a much more secure and user-friendly login experience for your users, eliminating the need for passwords.

With passkeys, users can log in with just their fingerprint or facial recognition, making it even easier than before to access their accounts.

If you're looking to improve your product's security and usability, then consider implementing passkey support as a next step. Your users will enjoy a more seamless login experience, while you benefit from increased security. It's a win-win!