How passkeys work
When a user registers a passkey, their device creates a unique public-private key pair for that specific website or application. The private key stays on the device, protected by the secure hardware and unlocked with biometrics or a PIN. The server keeps only the public key, which is useless to an attacker on its own.
At sign-in, the server sends a random challenge, the device signs it with the private key, and the server verifies the signature with the stored public key. Crucially, the credential is bound to the origin of the real website, so a lookalike phishing page can never trigger a valid signature. This flow is standardized as WebAuthn, the browser API within the broader FIDO2 specification.
Why passkeys matter
Passkeys are the first mainstream credential that is phishing-resistant by construction. There is no secret to type, so it cannot be captured by a fake page, keylogger, or social engineering call. Server-side breaches expose only public keys, which cannot be replayed or cracked into working credentials.
Adoption has moved quickly because the major platforms ship passkey support natively across operating systems and browsers. Synced passkeys stored in platform accounts make recovery easy for consumers, while device-bound passkeys on hardware security keys satisfy stricter enterprise and regulatory requirements. For most organizations, passkeys now represent the practical end-state for workforce authentication.
Rolling out passkeys in practice
Enterprise rollouts typically start by enabling passkeys as an MFA factor or password replacement at the identity provider, so every application behind SSO benefits immediately without individual integration work. Early cohorts are usually IT staff and administrators, followed by a broader opt-in phase and eventually default enrollment during onboarding.
Decisions to make up front include whether to allow synced passkeys or require device-bound credentials, how users recover access after losing a device, and how shared or kiosk workstations are handled. Monosign supports passkeys and FIDO2 as first-class authentication factors alongside TOTP and push, enforced through the same central policies.