• 12 Dec, 2025 *

This is the first post in a multi-part series covering passkeys (or WebAuthn). You’ve likely encountered passkeys in the wild at some point. They are ubiquitous and for good reason, they are one form of phishing-resistant authentication, definitely the most popular one.

Table of Contents

• Introduction (current)
• The Registration Ceremony
• The Authentication Ceremony
• FIDO Metadata
• The Packed Attestation
• Implementing a Virtual Authenticator

(Note: will be updated as more posts are completed)

So what in the world is a passkey? Simply put, it is a public / private key pair stored on an authenticator tied to a specific website and possibly user. There are multiple kinds of authenticators, but they fall into two broad categories: software and hardware. Software authenticators are widely available, and most password managers also function as a passkey provider, like 1Password among others. There are also a decent number of hardware authenticators, like the Yubikey.

Authenticators for use in high security environments should be certified, and there are different certification levels. Certification is handled by the FIDO Alliance, an organization that not only certifies authenticators but also manages the specification governing passkeys in general.

So how does a passkey work? There are two ceremonies: registration and authentication. During the registration ceremony, a challenge (random string) is provided to the authenticator by the website you are adding the passkey to along with other metadata about the site and user. The authenticator creates a credential id, creates a key pair, signs the challenge, and then gathers any additional metadata the site might request from the authenticator. The id, metadata, signed challenge, and public key are then provided back to the requesting site. After some verification, the public key and metadata will be stored for future use in the authentication ceremony.

The authentication ceremony is used if the key pair already exists and you want to verify that you are who you say you are. In this ceremony, a challenge is provided along with some very basic site metadata. In some cases, a user id might be provided, but not always. The authenticator will search its list of sites for a matching key pair, sign the challenge, and then return the signed challenge along with the credential id. The website can lookup the credential by the id, and then confirm that it can decrypt the challenge before it allows the ceremony to complete.

Wait a moment? What kind of metadata can be requested about the authenticator? There are several layers of metadata that can be requested, but in general: the manufacturer of the authenticator, the firmware version, the serial number of the authenticator, and other metadata provided by the manufacturer. Not all authenticators support metadata, and not all sites require it. The most common reason for metadata is collection is to ensure that only certain types and / or manufacturers of authenticators are used.

The majority of metadata is assigned to a publicly available registry known as the FIDO Metadata Registry and attached to an id assigned to your authenticator during certification: the AAGUID.

So how exactly are passkeys phishing resistant? It must be noted here that passkeys are not phishing proof. Anyone that makes such a claim should be regarded with skepticism. Different authenticator types also have vastly different levels of phishing resistance. Hardware authenticators in particular have better resistance than software authenticators (in general).

The resistance comes from the public / private key pair. The private key should never leave the authenticator. If your private key can be extracted during regular operation, that dramatically lowers the resistance offered by your authenticator.

Note: Some authenticators do allow private keys to be extracted in special circumstances, like making a backup of the authenticator. Others chose not to allow any extraction. Both choices are valid, and you should choose the authenticator that meets your needs and security requirements.

The fact that only the public key is sent over the wire while the private key is not means that you have a credential that can’t be stolen in transit, like a password can. It’s also not as easy for a hacker to spoof a page to capture passkeys because they are tied to a specific domain and cannot be used on other domains. Finally, passkeys prevent replay attacks by forcing the challenge to be different every time, unlike a password.

Despite all of this, passkeys can either be used solo or they can be used as a complement to passwords. Many sites offer both functionalities, sign in exclusively with passkey or passkeys used as a Multi Factor Authentication after the password has been entered. Both offer improved security over using a password alone.

So that’s what passkeys are, the basics of how they work, and what makes them special. In future posts, we’ll actually dig into how they work, and ultimately, we’ll make a little toy virtual authenticator.