The term “passkeys” refers to passwordless credentials based on asymmetric cryptography (FIDO2/WebAuthn). Each account gets a unique key pair: the private key stays on the device (or in an OS-backed, end-to-end encrypted sync vault), while the public key is stored with the service. Sign-in works by producing a cryptographic signature after local user verification (e.g., biometrics or device PIN). Passkeys are phishing-resistant because they are bound to the site/app origin and never transmit shared secrets.
Registration & Enrollment (WebAuthn ceremony): Creating the key pair, storing a resident/discoverable credential, linking it to the user account.
Authentication (sign-in ceremony): Challenge signing with origin binding, user verification via biometrics or device PIN (UV), optional user presence (UP).
Platform & roaming authenticator support: Use OS-level authenticators (e.g., Windows Hello, Face ID/Touch ID, Android) and FIDO2 security keys.
Multi-device passkeys & device sync: Secure synchronization/backup through OS-provided vaults; manage multiple devices per user.
Cross-device (hybrid) sign-in: Sign in on a new device via QR code/proximity (Bluetooth) with confirmation on an already authenticated device.
Policies & access control: Enforce passwordless sign-in, step-up authentication for sensitive actions, RBAC/policy controls per app, group, or risk.
Risk evaluation & fraud detection: Device signals, geo/IP checks, anomaly detection; adaptive requirements (e.g., additional verification).
Attestation & device compliance: Validate authenticator attestation (if required), enforce minimum standards (e.g., AAGUID allowlist).
Lifecycle management: View, rename, suspend, and delete passkeys; revoke after device loss; recovery with strong identity proofing.
Integration & developer tooling: WebAuthn/FIDO2 SDKs, server APIs for challenge handling, origin configuration, multi-tenant/Relying-Party settings.
SSO integration: Combine with OIDC/SAML; passkey-first flows in enterprise SSO.
Reporting & compliance: Audit logs, user-verification evidence, success/abandonment metrics, mapping to internal policies and standards (e.g., NIST AAL).
User self-service & helpdesk: Portal for users to manage their own passkeys; admin/helpdesk APIs for controlled recovery.
Secure fallback strategies: Temporary codes, phishing-resistant second factors, or identity proofing when no passkey is available—without reverting to reusable passwords.
An employee signs in to the company intranet with Windows Hello—no password, only face recognition; the service validates the WebAuthn signature.
A field worker scans a QR code on a new laptop and confirms the sign-in on their phone using a fingerprint (cross-device flow).
A financial portal requires a fresh passkey verification as a step-up control for transfers above €10,000.
A company’s admin console manages staff passkeys: lock a lost device, verify attestation, export audit logs.
A SaaS app uses passkeys together with OIDC SSO: users authenticate passwordlessly at the IdP and receive tokens for the business application.