🔐 What Are Passkeys?
Passkeys are a new type of login credential that:
- Don’t require a password
- Are phishing-resistant
- Use public-key cryptography
- Can be synced across devices (in some implementations)
They are based on the FIDO2/WebAuthn standards but are packaged in a way that’s easier for users to understand and adopt.
🧠 Why the Term “Passkey”?
You’re spot on — the term “passkey” was popularized by Apple at WWDC 2021, and later adopted by Google, Microsoft, and Yubico. The goal was to:
- Make the concept more accessible to users
- Encourage adoption by abstracting away technical jargon like “WebAuthn credentials”
🔄 Synced vs. Device-Bound Passkeys
| Type | Stored Where | Pros | Cons |
|---|---|---|---|
| Synced Passkeys | Cloud (e.g., iCloud Keychain, Google Password Manager) | Convenient, recoverable | Slightly higher risk if cloud account is compromised |
| Device-Bound Passkeys | Local device (e.g., YubiKey, Microsoft Authenticator) | Extremely secure, isolated | Less convenient, harder to recover |
Your point about Microsoft Entra ID only supporting device-bound passkeys in preview is important — it shows a focus on enterprise-grade security over convenience, which is often the right trade-off in corporate environments.
🛡️ Why Are Passkeys More Secure?
- No shared secrets: Unlike passwords, the private key never leaves your device.
- Phishing-resistant: They can’t be tricked into authenticating a fake site.
- Biometric/PIN protected: Even if someone steals your device, they can’t use your passkeys without your biometric or PIN.