← Lessons

quiz vs the machine

Platinum1780

Security

WebAuthn And Passkeys

Phishing resistant login using public key cryptography instead of shared secrets.

6 min read · advanced · beat Platinum to climb

Beyond Shared Secrets

Passwords and one time codes are shared secrets that can be phished. WebAuthn replaces them with public key cryptography. The user device holds a private key; the server stores only the matching public key.

How It Works

  • During registration the authenticator generates a key pair scoped to the site origin.
  • The server stores the public key and a credential id.
  • To log in, the server sends a challenge, the authenticator signs it with the private key, and the server verifies the signature.

A passkey is a WebAuthn credential that syncs across a user's devices through their platform, making the model practical for consumers.

Why It Resists Phishing

  • The credential is bound to the origin, so a lookalike site cannot trigger a valid signature.
  • The private key never leaves the authenticator, so there is nothing to steal on the server.
  • A breach of the server exposes only public keys, which are useless to an attacker.

Key idea

WebAuthn and passkeys authenticate with origin bound key pairs, so there is no shared secret to phish and a server breach leaks only useless public keys.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the server store in WebAuthn?

2. Why is WebAuthn phishing resistant?

3. What is a passkey?