What is Passkey?

Turkish: Passkey (Geçiş Anahtarı)

A passkey is a phishing-resistant sign-in method that uses a device-held private key plus biometric or PIN approval instead of passwords.

What is Passkey?

A passkey is a public-key credential that lets a user sign in without sending a password. The private key stays on the user’s device or in a synced credential store, while the service stores only the public key. During sign-in, the site sends a challenge, the device signs it, and the user approves the action with biometrics, a PIN, or the device lock.

Passkeys are bound to the legitimate domain, which makes them hard to reuse on a fake site. This property sharply reduces phishing risk compared with passwords and SMS codes. Each service also receives a different key pair, so data leaked from one service cannot be used to log in to another.

Relationship to MFA and OAuth2

A passkey can be used as a passwordless primary factor or as a strong factor in an MFA flow. Unlike many 2FA codes, it does not produce a value that the user can copy into a fake site. It can also work with authorization protocols such as OAuth2; for example, an identity provider can authenticate the user with a passkey and then issue tokens to an application.

Enterprise use needs planning for lost devices, backup passkeys, account recovery, and managed device policy. Passkeys are strong, but a weak recovery process can still let an attacker take over the account through another path.