What is a passkey?

Overview

Passkeys offer a convenient and more secure alternative to passwords, enabling a password-free login experience for websites and applications.

Passkeys are based on the WebAuthentication (WebAuthn) cryptographic standard. When creating an account, the operating system generates a unique and app- or website-specific cryptographic key pair on the device.

In the context of Internet Identity, a passkey refers to a cryptographic key used to interact with canister smart contracts. Canisters are the building blocks of the Internet Computer, representing smart contracts that can store data and execute code.

To interact with a canister, users need to authenticate their actions using a cryptographic key pair, which consists of a public key and a corresponding private key. The private key is typically stored securely on the user's device or in a digital wallet, while the public key is used to identify the user on the Internet Computer network.

The network verifies the digital signature using the associated public key, ensuring that the action was indeed signed by the authorized user. If the verification is successful, the action is executed by the canister on the Internet Computer.

Passkeys and Internet Identity

Passkeys can be used to log in to an Internet Identity and connect to any of the dapps and services using Internet Identity authentication. You can use a passkey to connect easily and securely with just a fingerprint, face scan, screen lock, QR Code, or security key. Passkeys are built on the WebAuthN standard.

What is a passkey?

  • A unique public/private key pair stored in the secure hardware chip in your device
  • A convenient and more secure replacement for passwords
  • A means to allow signing into dapps by unlocking your device (e.g. using FaceID or TouchID)

What happens when I create a passkey?

  • Your device will prompt you to authenticate with FaceID, TouchID, or another method that unlocks it, so that a unique cryptographic key pair to access Internet Identity can be created and saved
  • No personal data is shared with Internet Identity nor the dapps using Internet Identity
  • No software is downloaded to your device

How does Internet Identity use passkeys?

Passkeys are simple and secure ways to connect to your Internet Identity and all the sites and dapps you care about. Passkeys don't require saving or creating passwords. The difference between passkeys and passwords is that passkeys are cryptographic key pairs, which are specific to a website or app. One half is shared with the website or app, while your device stores the other half.

Using a temporary key

If you do not want to create a passkey when creating an Internet Identity, you can select continue without a passkey and create a temporary key from a PIN instead.

Storing passkeys

Once a passkey is created, it can either be stored locally, on an iCloud keychain, or as an external security key. The process for storing a passkey is different for each operating system, and may not be available on all systems.

If you are creating an Internet Identity for the first time, you can select to sign in with the passkey, which will be generated and stored on your device, cloud, or otherwise you can choose to connect with an external security key.

Clearing your browser's cache will result in the deletion of any stored passkeys, and you may be locked out of websites or apps. You should have multiple passkeys registered to your Internet Identity and securely store your backup recovery phrase.

Storing passkeys on iPhone devices

iPhone and iPad devices save passkeys to iCloud keychains by default. Users are required to sign in to iCloud to use Internet Identity on an iPhone. The passkey will be synced across all Apple iCloud devices the user is signed in with his iCloud account.

By using any Internet Identity-supported browsers on iPhone and iPad devices, users can create an Internet Identity on an Apple device. For Safari versions 16.2 and later, Apple syncs their WebAuthn keys via iCloud and requires that they sign in to iCloud to create WebAuthn keys with Internet Identity.

Storing passkeys on Android devices

To store passkeys, your device must have Android 9.0 or later and have a screen lock function active.

Android devices store passkeys in the Google Password Manager. passkeys are securely backed up and synced between your Android devices.

  1. On your Android device, open your device settings
  2. Select Passwords
  3. You can recover your passkeys on new devices if you lose the old one. Simply sign in to your account and provide the security PIN, pattern, or password of your lost device

Storing passkeys on Chrome

You can use Chrome to create and use passkeys on another device. Your passkeys remain on the other device.

  1. Open Chrome on your computer
  2. Go to the sign-in page of the dapp or service you wish to connect to
  3. When prompted to use your passkey, select A different device
  4. Scan the QR code with your Android or iOS device

Tip: After scanning the QR code on an Android device, you can choose to remember your computer. If you do, the computer shows your Android device as an option when you need a passkey. When you select it, you receive a notification on your device to verify your identity.

Storing passkeys on Windows devices

You can use passkeys on Windows 10 or later. To store them, you must set up Windows Hello. Windows Hello doesn’t currently support synchronization or backup, so passkeys are only saved to your computer. If your computer is lost or the operating system is reinstalled, you can’t recover your passkeys.

To use passkey management and passkey autofill, your computer must have Windows 11, version 22H2 or later.

Storing passkeys on Mac Devices

You can save passkeys in your Chrome profile, where they’re protected by a macOS keychain.

Chrome can’t save or use passkeys stored in iCloud Keychain. If your computer is lost or the Chrome profile is deleted, you can’t recover your passkeys.

Storing passkeys on a security key

You can use a USB security key, such as a Yubikey, Nitro key, or Titankey, to store your passkeys.

Passkeys stored on security keys aren’t backed up. If you lose or reset the security key, you can’t recover your passkeys.

You can use Chrome on your computer to create and use passkeys on another device. Your passkeys will remain on the other device, an external security key in this case.

Updated