tags:
  - passkeys
  - security
  - cybersecurity
  - notes
  - article
source: https://www.passkeys.io/technical-details
created: 2024-12-19

Creating a passkey

What is a passkey?
A passkey is a discoverable WebAuthn credential.

How is a passkey discoverable?
A passkey is discoverable in that it contains information about the user.

What capability does a passkey have since it's discoverable?
Since a passkey is discoverable, the capability it has is enabling an authentication flow that doesn't require entering a username.

What is WebAuthn?
WebAuthn is a JavaScript browser API that enables websites to create and use WebAuthn credentials.

What does the WebAuthn API give websites access to?
The WebAuthn API gives websites access to built-in client authenticator technology of web browsers, operating systems, and physical security keys.

What are credentials in the WebAuthn context?
In the WebAuthn context, credentials are cryptographic private keys.

What is there for every private key and where is it stored?
For every private key, there is a public key stored on a server.

What are the two scenarios where a passkey can be created?
The two scenarios where a passkey can be created are when:

A new user registers for an account.
An authenticated user decides to create a passkey for their existing account.

What happens during the first step of passkey creation?
During the first step of passkey creation, the web client requests a random challenge from the server.

What happens during the second step of passkey creation?
During the second step of passkey creation, the web client calls the WebAuthn API with credentials.create(challenge) which hands over the challenge and results in a key pair being created on the device.

What is the device where the passkey is created called in the WebAuthn context?
In the WebAuthn context, the device where the passkey is created is called the Authenticator.

How is the private key used and where is it stored?
The private key is used to sign the challenge and is stored on the user's device inside secure hardware like a TPM or secure enclave.

What three things are returned by the function call to credentials.create(challenge)?
The three things returned by the function call to credentials.create(challenge) are:

The matching public key.

A credential ID.

The signed challenge.

What may a user get prompted for verification with during this step?
During this step, the user may get prompted for verification with a biometric or a PIN.

What happens during the third step of passkey creation?
During the third step of passkey creation, the web client sends the public key, the credential ID, and the signed challenge back to the server.

What does the server associate the public key and the credential with and for what use?
The server associates the public key and the credential with the user for future authentication flows.

How does the server check the validity of future authentication flows?
The server checks the validity of future authentication flows by verifying the signed challenge with the public key.

Authenticating with a passkey

Does a passkey ever leave a user's device?
No, a passkey never leaves a user's device.

What does a user's device create locally with the passkey and for what?
With the passkey locally, a user's device creates a unique cryptographic signature for proving to the server that it was created with the passkey.

What happens during the first step of passkey authentication?
During the first step of passkey authentication, the web client requests a random challenge from the server.

What happens during the second step of passkey authentication?
During the second step of passkey authentication, the web client calls the WebAuthn API with credentials.get(challenge) which prompts the user for verification with a biometric or PIN in order to use a stored passkey to sign the challenge.

What three things are returned by the function call to credentials.get(challenge)?
The three things returned by the function call to credentials.get(challenge) are:

The signed challenge.

The username.

The credential ID.

What happens during the third step of passkey authentication?
During the third step of passkey authentication, the web client sends the signed challenge, the username, and the credential ID back to the server.

What does the server do if the username and credential ID are known?
If the username and credential ID are known, the server checks the validity of the signed challenge with the public key.

What does the server do if the signed challenge can be successfully verified by the public key?
If the signed challenge can be successfully verified by the public key, the server safely assumes the user was in possession of the passkey and creates a session or hands out an authorization token.

...