← All terms
Passkeys (FIDO2 / WebAuthn)

What are Passkeys (FIDO2 / WebAuthn)?

Passkeys are phishing-resistant sign-in credentials based on FIDO2/WebAuthn public-key cryptography, unlocked with a fingerprint, face, or PIN.

Last updated: 13 July 2026

How passkeys work

When a user registers a passkey, their device creates a unique public-private key pair for that specific website or application. The private key stays on the device, protected by the secure hardware and unlocked with biometrics or a PIN. The server keeps only the public key, which is useless to an attacker on its own.

At sign-in, the server sends a random challenge, the device signs it with the private key, and the server verifies the signature with the stored public key. Crucially, the credential is bound to the origin of the real website, so a lookalike phishing page can never trigger a valid signature. This flow is standardized as WebAuthn, the browser API within the broader FIDO2 specification.

Why passkeys matter

Passkeys are the first mainstream credential that is phishing-resistant by construction. There is no secret to type, so it cannot be captured by a fake page, keylogger, or social engineering call. Server-side breaches expose only public keys, which cannot be replayed or cracked into working credentials.

Adoption has moved quickly because the major platforms ship passkey support natively across operating systems and browsers. Synced passkeys stored in platform accounts make recovery easy for consumers, while device-bound passkeys on hardware security keys satisfy stricter enterprise and regulatory requirements. For most organizations, passkeys now represent the practical end-state for workforce authentication.

Rolling out passkeys in practice

Enterprise rollouts typically start by enabling passkeys as an MFA factor or password replacement at the identity provider, so every application behind SSO benefits immediately without individual integration work. Early cohorts are usually IT staff and administrators, followed by a broader opt-in phase and eventually default enrollment during onboarding.

Decisions to make up front include whether to allow synced passkeys or require device-bound credentials, how users recover access after losing a device, and how shared or kiosk workstations are handled. Monosign supports passkeys and FIDO2 as first-class authentication factors alongside TOTP and push, enforced through the same central policies.

Frequently asked questions

What is the difference between a passkey and a password?
A password is a shared secret that both you and the server know, which makes it phishable and leakable. A passkey is a cryptographic key pair: the server holds only the public half, and the private half never leaves your device. Nothing reusable is typed or transmitted at sign-in.
Are synced passkeys safe for enterprise use?
Synced passkeys are protected by the platform account and its own strong authentication, and they remain phishing-resistant. Organizations with stricter requirements can mandate device-bound passkeys on hardware keys instead. Many enterprises allow synced passkeys for general staff and require device-bound credentials for privileged roles.
What is the relationship between FIDO2, WebAuthn, and passkeys?
FIDO2 is the overall standard from the FIDO Alliance and W3C. WebAuthn is its browser API that websites call to register and verify credentials, and CTAP is the protocol for external authenticators. A passkey is the user-friendly name for a FIDO2 credential created through this stack.