How Do Passkeys Work by Hanko

**What is a passkey?** A passkey is *a discoverable WebAuthn credential.* > **How is a passkey discoverable?** > A passkey is discoverable in that *it contains information about the user.* > > **What capability does a passkey have since it's discoverable?** > > Since a passkey is discoverable, the capability it has is *enabling an authentication flow that doesn't require entering a username.* > > **What is WebAuthn?** > WebAuthn is *a JavaScript browser API that enables websites to create and use WebAuthn credentials.* > > **What does the WebAuthn API give websites access to?** > > The WebAuthn API gives websites access to *built-in client authenticator technology of web browsers, operating systems, and physical security keys.* > > **What are credentials in the WebAuthn context?** > In the WebAuthn context, credentials are *cryptographic private keys.* > > **What is there for every private key and where is it stored?** > > For every private key, there is *a public key stored on a server.* # Creating a passkey **What are the two scenarios where a passkey can be created?** The two scenarios where a passkey can be created are when: 1. A new user registers for an account. 2. An authenticated user decides to create a passkey for their existing account. **What happens during the first step of passkey creation?** During the first step of passkey creation, *the web client requests a random challenge from the server.* **What happens during the second step of passkey creation?** During the second step of passkey creation, *the web client calls the WebAuthn API with `credentials.create(challenge)` which hands over the challenge and results in a key pair being created on the device.* > **What is the device where the passkey is created called in the WebAuthn context?** > In the WebAuthn context, the device where the passkey is created is called *the Authenticator.* > > **How is the private key used and where is it stored?** > The private key is used *to sign the challenge and is stored on the user's device inside secure hardware like a TPM or secure enclave.* > > **What three things are returned by the function call to `credentials.create(challenge)`?** > The three things returned by the function call to `credentials.create(challenge)` are: > 1. The matching public key. > 2. A credential ID. > 3. The signed challenge. > > **What may a user get prompted for verification with during this step?** > During this step, the user may get prompted for verification with *a biometric or a PIN.* **What happens during the third step of passkey creation?** During the third step of passkey creation, *the web client sends the public key, the credential ID, and the signed challenge back to the server.* > **What does the server associate the public key and the credential with and for what use?** > The server associates the public key and the credential with *the user for future authentication flows.* > > **How does the server check the validity of future authentication flows?** > The server checks the validity of future authentication flows *by verifying the signed challenge with the public key.* # Authenticating with a passkey **Does a passkey ever leave a user's device?** *No*, a passkey never leaves a user's device. > **What does a user's device create locally with the passkey and for what?** > With the passkey locally, a user's device creates *a unique cryptographic signature for proving to the server that it was created with the passkey.* **What happens during the first step of passkey authentication?** During the first step of passkey authentication, *the web client requests a random challenge from the server.* **What happens during the second step of passkey authentication?** During the second step of passkey authentication, *the web client calls the WebAuthn API with `credentials.get(challenge)` which prompts the user for verification with a biometric or PIN in order to use a stored passkey to sign the challenge.* > **What three things are returned by the function call to `credentials.get(challenge)`?** > The three things returned by the function call to `credentials.get(challenge)` are: > 1. The signed challenge. > 2. The username. > 3. The credential ID. **What happens during the third step of passkey authentication?** During the third step of passkey authentication, *the web client sends the signed challenge, the username, and the credential ID back to the server.* > **What does the server do if the username and credential ID are known?** > If the username and credential ID are known, the server *checks the validity of the signed challenge with the public key.* > > **What does the server do if the signed challenge can be successfully verified by the public key?** > > If the signed challenge can be successfully verified by the public key, *the server safely assumes the user was in possession of the passkey and creates a session or hands out an authorization token.* ...