We're now live! Signup now
Passkeys enable two factor authentication (including biometrics). Users can even use a biometric enabled device e.g. iPhone FaceID to authenticate against a device lacking this capability e.g. a desktop.
The problems with passwords are so widely understood that pretty much every website now uses some form of secondary authentication. Passkeys negate the need for these secondary factors, offering native support for multi factor authentication.
Passkeys use public/private keypairs. The private key is stored on the user’s device (or synced to a cloud account). Unlike the shared secret password model, the private key is never transmitted to to website requiring authentication, only the public key is shared during the initial passkey registration.
Like TOTP based authenticators e.g. Google Authenticator, Passkey credentials, specifically the private key element are stored on physical devices. The device could be a USB key e.g. a YubiKey or a platform authenticator i.e. smartphone, tablet or computer.
Note: private keys could be synced to a cloud account, however access to the account is itself typically protected by multi-factor authentication.
Secondary authentication (aka user verification) guards access to the private keys.
Passkeys stored on a compatible device can be protected by biometrics. This will typically take the form of facial or fingerprint recognition e.g. FaceID or TouchID on iOS.
For devices that lack biometric capaibilities, the authenticator can resort to using a PIN or password to guard access to the private key.
Falling back to a PIN or password may be required even on devices with biometrics if the capability is temporarily unavailable. One scenario in which this could occur would be a laptop with a fingerprint sensor that’s being used in clamshell mode.
Passkeys enable developers to specify the level of authentication required. Additional secondary authentication is known as user verification. Developers can specify a level of:
Ultimately it’s up to the browser/authenticator to decide exactly how to enforce these conditions. For example, a TouchID enabled Macbook in clamshell mode would require the user’s password if user verification is set to required but would skip user verification if set to desirable.
Inevitably there’s a tradeoff between friction/usability and security. Fortunately user verification can be specified on a case by case basis. Logging into a user’s “home page” may require no verification, but accessing the billing data could require verification.
Founder
If you've followed the previous instalments in this series, you'll have built a SvelteKit app with passkey authentication, session management and authorization. It's functional, but it feels a bit clunky. Let's improve things.
In this tutorial you'll build on your previous work to integrate passkeys with Lucia users and sessions. You'll handle session creation, expiry and invalidation, and protect your routes using SvelteKit hooks.
In this tutorial you'll learn how to add passkey authentication to your SvelteKit apps. You'll register a passkey and use it to login. In subsequent tutorials I'll show you how to add session management, social login and more.
All the major browsers now support passkeys, however biometric support is often limited to those browsers with tight platform integration e.g. Safari on iOS and Chrome on Android.
Passkeys are tied to specific (https) websites. Browsers won't use a private key intended for one website to sign a challenge generated by a different site.
Roaming authenticators allow users to sign in to a website on one device, using a passkey stored on a different device.