Table of ContentsEvolution of Online Authentication
The way we prove who we are online has evolved dramatically. Initially, passwords were the foundation of digital identity: simple, often reused, and highly vulnerable to theft. As cyber threats increased, two-factor authentication (2FA) became common, combining something we know (a password) with something we have (a phone or token). This added a critical layer of security, making unauthorized access significantly harder even if one factor is compromised.
Building on these innovations, identity federation and single sign-on (SSO) using trusted identity providers (IdPs) has further transformed authentication. Platforms like Google, Microsoft, or Apple act as centralized authorities to verify user identities, allowing secure access to multiple services without creating new credentials for each. This approach simplifies user experience, strengthens security by leveraging strong IdP protections, and reduces password fatigue.
The latest evolution is passkeys, a passwordless authentication method based on public-key cryptography. Passkeys store a private key securely on the device and use a public key on the server for verification. They offer cross-device security, phishing resistance, and seamless login experiences. Unlike passwords, passkeys make stolen credentials nearly useless and can be synced securely across devices, signaling a future where passwords may finally become obsolete.
The Magic of Passkeys
Passkeys is a combined system of cryptographic keys represent the next generation of online authentication, offering both enhanced security and greater convenience compared to traditional passwords. Signing in with a passkey is as easy as choosing your account and confirming with a face scan, fingerprint, or PIN no need to type usernames, enter passwords, copy codes from SMS, or click email links. Many apps have seen sign-in times cut in half (50%) after adopting passkeys.
The Tech Behind Passkey Authentication
Android Keystore a secure container within an Android device that stores cryptographic keys, The Android Key-store provides a secure way to manage cryptographic keys on Android devices. It achieves its strongest security by leveraging hardware-backed components like the Trusted Execution Environment (TEE) or Secure Element (SE). These components act as a mobile similar of a TPM, protecting keys from software attacks and unauthorized access.
When you visit a website that supports passkeys for the first time and choose to create a passkey, Your biometrics (like fingerprint or face scan) are used to authorize the creation of the key pair and protect access to the private key but they are never sent to the website.
Your device (e.g., Android phone, Chromebook ) generates a new asymmetric key pair, A private key, securely stored in the device (e.g., Android Keystore, A public key, which is sent to and stored by the website.
When you return to log in, The website sends a challenge to your device, Your device uses your stored private key to sign the challenge, but only after confirming your identity locally via biometrics or PIN.
The signed challenge is sent back to the website, The website verifies it using the public key it already has, confirming it’s really you.
The application knows which user a request belongs to because it stores each user’s public key linked to their account. When the user tries to log in, they provide an identifier like a username. The server then uses this identifier to find the correct public key and verify the signed challenge from the user’s device.
Even if a website gets hacked, your private key is never exposed because it never leaves your device. The hacker would only have the public key (which is useless on its own for authentication). This makes passkeys far more secure than traditional passwords, which can be stolen, guessed, or reused across different sites.
The passkey's private key is indeed saved locally on the device within the Android Keystore, specifically in secure hardware like the TEE or SE. You cannot directly see this private key. The public key is stored by the online service (server). Bio-metrics (fingerprint, face scan, or PIN) are used to authorize the use of this private key for authentication. The private key itself remains on the device and is never shared directly with Google. Instead, the Google Password Manager securely syncs an encrypted form or reference of the passkey across your multiple signed-in devices and browsers, enabling seamless access and usage without exposing the sensitive private key.
Passkeys and Password Manager Synchronization
Passkeys are stored as a reference in the password manager, but not all password managers sync them. This creates a challenge if passkeys are not synced, accessing a website that requires a passkey not available on the current device means you must scan a QR code with a device that has the passkey. This process can be difficult and inconvenient.
This year Google has integrated passkey synchronization into its Password Manager, allowing users to save and use passkeys across devices running Chrome on Windows, macOS, Linux, and Android. This integration simplifies the authentication process and enhances security by eliminating the need for traditional passwords, this limit the user of the QR code scan but may still be presented
They aren’t shared with websites, making them safe even if a site is hacked. With passkeys, users can log in quickly using bio-metrics or a PIN no more typing, remembering, or waiting for codes.
Heads-up: Take a look at my session notes from “Google I/O 2025: Modern Identity Authentication: Faster Sign-Ins and Next-Gen Secure Credentials”. I explore key topics like authentication methods, authorization protocols, and the future of passkeys in depth.
