How Passkeys Actually Work (Public-Key Crypto, Minus the Headache)

The first time someone explained public-key cryptography to me, they used envelopes. Then padlocks. Then, for reasons I still don't understand, a story about a king and a moat. I nodded along and understood nothing. So when I started building Paswad and had to actually live inside this stuff, I made myself a promise: if I ever explained passkeys, I'd do it without the moat. This is me keeping that promise.

Here's the thing nobody tells you up front. Passkeys aren't magic, and they aren't even particularly new math. The cryptography underneath has been around since the 1970s, quietly running things like HTTPS while everyone kept typing passwords into boxes anyway. What changed is that your phone and laptop got good enough to do the hard part for you, silently, so you never have to see the gears turn. My job today is to show you the gears. They're prettier than you'd expect.

Two keys, and only one of them ever leaves home

The core idea is a pair of keys that are mathematically joined at the hip. One is the private key, and it stays on your device forever. It never gets emailed, never gets typed, never sits in some company's database waiting to be stolen. The other is the public key, and it's the social butterfly of the pair. You can hand it to anyone. Post it on a billboard if you like. It's useless to an attacker on its own, which is exactly why it's safe to share.

Here's the property that makes the whole thing work: anything signed by the private key can be verified by the public key, but you can't run that backwards. Knowing the public key tells you nothing useful about the private one. It's a one-way street with a toll booth at the end. Think of it like a wax seal on a letter. Anyone can look at the seal and confirm it came from your specific ring. Nobody can reverse-engineer your ring just by staring at the wax. When you register a passkey with a website, you hand them the public key — the wax-seal recognizer — and you keep the ring.

The challenge, and why a shared secret is a liability

A password is a shared secret. You know it, the website knows it, and that shared-ness is the original sin. The moment two parties both hold the same secret, you've doubled the number of places it can leak from, and websites leak constantly — that's not cynicism, it's the news. Every breach headline is the same story: a database full of secrets that should never have been sitting in one place.

Passkeys throw that model out. The website never holds anything secret about you. Instead, logging in becomes a little quiz the site can't cheat on. When you go to sign in, the server sends down a challenge — basically a big random number it just made up on the spot. Your device takes that challenge and signs it with your private key, producing a signature. It sends the signature back. The server uses the public key it stored at registration to check: does this signature match this challenge from this key? If yes, you're in. If no, you're a stranger.

The beauty is in what didn't happen. Your private key never moved. The signature is single-use because the challenge was random and fresh — capture it off the wire and it's worthless next time, like a movie ticket for a screening that already ended. There's no shared secret to steal, because there is no shared secret. The server only ever sees the public half and a one-time proof. I've watched security people relax visibly when this clicks, because it kills entire categories of attack at the root rather than patching them one breach at a time.

Nothing secret ever crosses the wire. The server proves you're you by watching you do a math trick only your key can perform, not by holding a copy of your soul in a table.

So where does the fingerprint come in?

This is the part everyone gets backwards, so let me be blunt about it. Your fingerprint does not get sent anywhere. Your face does not get sent anywhere. Apple, Google, your bank, me — none of us see your biometrics. They physically cannot leave the secure chip on your own device. I find it genuinely funny how much suspicion gets aimed at the one part of this system that's the most private.

The biometric is a local gate, nothing more. Your private key is locked in a vault on your device — a dedicated security chip, the Secure Enclave on an iPhone, a TPM on a laptop. To use that key to sign a challenge, the vault demands proof you're the rightful owner. Your face or thumb is how you knock on that vault door. The check happens entirely on-device, in milliseconds, and the only thing that crosses the network afterward is the signature the key produced once it was unlocked.

So when you hear "log in with Face ID," translate it in your head: "unlock the private key sitting in this specific phone's chip, so it can sign a one-time challenge." The biometric is the doorman to a room. It's not the message being sent. That distinction is the entire reason phishing stops working — even if a fake site tricks you into smiling at your camera, there's no key on that fake domain to unlock, and the signature your real key would produce is bound to the real website's address. The math simply refuses to sign for the wrong door.

Signatures beat shared secrets, and here's the short version of why

If you remember one thing, make it this. A shared secret is something both sides have. A signature is something only one side can make, and the other side can only check. That asymmetry is the whole ballgame. You can verify a signature a million times and never learn how to forge one, the same way you can recognize a friend's handwriting forever without being able to perfectly counterfeit it under a forensic microscope.

Passwords ask you to be a vault. You're bad at it, I'm bad at it, everyone is bad at it, which is why password managers exist and why we reuse the same three anyway. Passkeys move the vault off your brain and into hardware that was built for exactly this, then prove your identity with disposable signatures instead of a permanent secret. It's not that passkeys are clever and passwords are dumb. It's that passwords were always the wrong shape for the job, and we just didn't have a better shape lying around at scale until now.

Frequently asked questions

If I lose my phone, do I lose my passkeys?

Not usually. On most platforms your passkeys sync through an encrypted keychain — iCloud Keychain, Google Password Manager, and so on — so a new device restores them. The private keys are end-to-end encrypted in transit, meaning even the sync provider can't read them. For the truly paranoid, you can also register a second passkey on a backup device or a hardware key.

Can a website see my private key or my fingerprint?

No to both. The website only ever receives your public key and one-time signatures. Your private key stays locked in your device's secure hardware, and your biometric data never leaves the chip that reads it. The site genuinely cannot store a secret that could be stolen from it later.

What stops someone from copying my passkey?

The private key lives in tamper-resistant hardware designed so the key material can't be extracted, even by software running on the same device. There's no exportable secret to copy off the wire either, since only signatures travel, and each one is bound to a single challenge and a single website.

Is this really more secure than a long, random password?

Yes, and for a reason that has nothing to do with length. A perfect password is still a shared secret that can be phished or leaked in a breach. A passkey can't be phished, because the signature is cryptographically tied to the real site's address, and there's nothing stored server-side worth stealing. You skip the entire class of problems instead of making them slightly harder.

That's the honest version. No envelopes, no moat, no king. Just two keys, one of which you never let go of, and a math trick that proves who you are without ever whispering a secret into the dark. Once it clicks, going back to typing passwords feels like signing every contract with a password you also gave to the other guy. Why did we ever do that?