Passkeys are enabled by something called public key cryptography.
“Instead of you creating and remembering a shared secret, like a password, your device generates a secure key pair – one part stays on your device, and the other sits with the service you’re logging into,” says Daniel Card of BCS, the Chartered Institute for IT.
The process most often involves doing what you do to unlock your device – such as using built-in biometric sensors to scan your fingerprint or face, or using a pin code.
Only the fact you have completed the check – not the information itself – is exchanged.
“These physical security keys are totally resistant to phishing attempts and can’t be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts,” says Niall McConachie, regional director at cyber-security firm Yubico.
