Common Questions about Passkeys

You’re thinking of using Passkeys and WebAuthN to strengthen your digital security. But you have a few questions first

  • Richard Krueger

  • January 26, 2025

Common Questions about Passkeys

“The Devil’s Pass Key (or The Devil’s Passkey) is a 1920 silent drama film” — directed by Erich von Stroheim

How do I set up a passkey?

To enable passkeys for an app, the app must first support them. Developers have two options:

  • Implement a full FIDO2 WebAuthn passkey system, including the necessary backend support (a relying party, typically implemented as a web server at a published URL). While effective, this approach is complex and can take several weeks of development effort.

  • Use AppKey, which offers a plug-and-play PassKey solution that can be implemented in just hours—at an affordable cost.

If the app supports passkeys, users will typically create a passkey linked to a unique handle, such as an email address or phone number. The app verifies the handle by sending a code to confirm ownership. The passkey itself is created as a public/private key pair, securely stored in the device’s keychain for synchronized passkeys. The app server saves the public key for future use.

During authentication, the app server sends a challenge to the user’s device. The device retrieves the private key from the keychain and signs the challenge. This signed challenge is then sent back to the server, which verifies it using the saved public key. If the verification succeeds, the user is authenticated.

With AppKey, developers can bypass the complexity of building their own implementation and focus on delivering secure, passkey-enabled apps quickly and efficiently.

How do I add a passkey on my iPhone?

Passkeys are created for an app on an iPhone when a user registers their email address or phone number with the app—a process referred to as the “registration ceremony” in FIDO2 terminology. A passkey consists of a relying party (the app’s URL), an account handle (email or phone number), the app’s name, and a public/private encryption key pair.

Passkeys are securely stored in the iPhone’s keychain, which can only be accessed using biometric authentication via Touch ID or Face ID. Users can view and manage all their saved passkeys by navigating to the “Passwords” section in the Settings app, providing a centralized way to handle their passkeys on the device.

Where is the Passkey saved on my iPhone?

Passkeys are securely stored in the iPhone’s keychain, which is encrypted and accessible only after biometric authentication using Face ID or Touch ID. If the iPhone is stolen, the passkeys cannot be accessed by the thief. Additionally, because the keychain is synced to the user’s iCloud account, all passkeys are automatically restored when a replacement iPhone is purchased, and the account is recovered from iCloud.

How do I create passkeys in an authenticator app?

The short answer is that passkeys are not created within authenticator apps like Google Authenticator. Authenticator apps are designed for two-factor authentication (2FA) and work by generating time-based one-time passwords (TOTP) to complement traditional email/password authentication.

While authenticator apps add an extra layer of security, they are not as robust as passkeys, which rely on public/private key encryption. If a server is hacked and the TOTP seed is stolen, a hacker could potentially bypass the authenticator’s security. Passkeys eliminate this risk by replacing authenticator apps with a more secure, encryption-based solution.

Is Apple Passkey available now?

As of November 2023, Apple supports Passkeys on both iOS and the Safari browser. Additionally, Apple ID Sign-In now includes Passkey functionality, meaning applications using Apple Sign-In can take advantage of the enhanced security provided by Passkeys.

How to I add a security key to my iPhone?

Apple iOS not only supports synchronized passkeys through the Apple Keychain system but also supports hardware FIDO2 security keys that can interface directly with an iPhone or a MacOS browser. FEITIAN is a leading provider of FIDO2 hardware security keys compatible with iOS, MacOS, and Android. One key advantage of hardware FIDO2 security keys is their physical separation from the iPhone, which reduces the risk of passkeys being compromised if the device is lost, stolen, or hacked. These keys provide an additional layer of robust security.

How do I put a passkey on my apps?

The seemingly most straightforward approach is to download the FIDO2 WebAuthN source code and set up a relying party WebAuthN server to store authentication public keys for the app’s users. In a second phase, the developer would integrate Apple’s Passkey SDKs to interface with the WebAuthN server. However, this process is highly complex, time-consuming, and requires deep expertise in both WebAuthN and Apple’s Passkey SDK.

Alternatively, developers can choose a turnkey solution like AppKey, enabling them to implement passkey authentication for iOS in just a few hours. AppKey offers SDKs for Swift, React Native, and Kotlin for Android, making it a simplified, efficient solution for adding passkey functionality.

Blog

Read More Posts

Your Trusted Partner in Data Protection with Cutting-Edge Solutions for
Comprehensive Data Security.

blog image

August 2, 2024

Passwords and Passkeys

I guess the moral here is: you must be careful what you pretend to be because in the end you are who you’re pretending to be. — Howard W. Campbell Jr

Read More Details
blog image

August 10, 2024

Passkey Recovery Strategies

You’ve chosen to use Passkeys and WebAuthN to strengthen your digital security. But what happens if a customer loses their mobile device? How do you manage passkey recovery?

Read More Details
call to action

Secure Your Users with Cosync Appkey Solution

Enable your developers to implement a cost-effective Passkey authentication solution—quickly and seamlessly. Use it as your primary authentication system or as a secondary multi-factor authentication layer. Start today!

Get Started