{"id":21830,"date":"2026-07-09T11:00:00","date_gmt":"2026-07-09T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/09\/what-is-a-passkey-definition-how-it-works-standards\/"},"modified":"2026-07-10T22:20:49","modified_gmt":"2026-07-10T22:20:49","slug":"what-is-a-passkey-definition-how-it-works-standards","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/09\/what-is-a-passkey-definition-how-it-works-standards\/","title":{"rendered":"What Is a Passkey? Definition, How It Works, and Standards"},"content":{"rendered":"<div class=\"st-definition\">\n<p><strong>What is a Passkey?<\/strong> A Passkey is a cryptographic login key built on the FIDO2 standard (Fast Identity Online version 2) that replaces passwords. It consists of a key pair: the public key is stored on the service, while the private key stays on the user&#8217;s device and is never transmitted. Because the Passkey is bound to the service&#8217;s domain, phishing attempts technically fail.<\/p>\n<\/div>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Principle:<\/strong> Public-key cryptography with challenge-response. The private key never leaves the device; unlocking is performed locally via biometrics or PIN.<\/li>\n<li style=\"margin-bottom:10px;\"><strong style=\"color:#69d8ed;\">Phishing Resistance:<\/strong> The Passkey is bound to the exact domain. There is no secret that a user could enter on a fake page.<\/li>\n<li style=\"margin-bottom:0;\"><strong style=\"color:#69d8ed;\">Standards:<\/strong> Passkeys rely on FIDO2 (Fast Identity Online version 2), the combination of the W3C WebAuthn specification and the FIDO CTAP protocol.<\/li>\n<\/ul>\n<\/div>\n<h2>How a Passkey Works<\/h2>\n<p>When registering, the device creates a unique key pair for each service. The service stores only the public key. During every login, it sends a challenge that the device signs with its private key, and the service verifies the signature. The signature is released only after local verification, using a fingerprint, facial recognition, or PIN. Biometric data remains on the device just like the private key.<\/p>\n<p>In practice, companies encounter two variants. Synchronized passkeys are stored in a credential manager such as Apple&#8217;s or Google&#8217;s password manager and are end\u2011to\u2011end encrypted across all of the user&#8217;s devices. Device\u2011bound passkeys remain permanently on a single authenticator, typically a FIDO security key. They cannot be copied.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:1.6em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">FIDO2<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">WebAuthn (W3C) plus CTAP (FIDO Alliance): the two standards behind every passkey<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">Quelle: FIDO Alliance<\/p>\n<\/div>\n<h2>Why Phishing Falls Flat<\/h2>\n<p>Phishing resistance isn\u2019t a marketing claim. It arises from the architecture. A passkey is bound at creation to the service\u2019s origin &#8211; that is, its exact domain. Browsers and operating systems only release the credential to that precise domain. A convincingly realistic copy of the login page on a foreign domain simply receives no signature.<\/p>\n<p>Moreover, there is no shared secret. Passwords and one\u2011time codes can be intercepted in real time by an attacker via a phishing proxy and forwarded. With a passkey, there\u2019s nothing for the user to enter or forward. The BSI therefore describes passkeys as a secure alternative to passwords and has issued a technical guideline (TR-03188) for server\u2011side implementation.<\/p>\n<h2>What Companies Need to Verify Now<\/h2>\n<p>The transition starts with an inventory: Which applications still rely on passwords, and where do credential\u2011stuffing and phishing cause the most damage? Based on that, decide which services to migrate to WebAuthn first and how recovery will be handled in the event of lost devices.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">VERIFY NOW<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Inventory login procedures and assess phishing risks per application<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Deploy a WebAuthn\u2011ready passkey server or select a provider, reference: BSI TR\u201103188<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Launch a pilot with selected user groups, keep password login as a parallel fallback<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Define recovery rules: synchronized or device\u2011bound, backup keys for critical accounts<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Eliminate weak fallbacks, otherwise password resets undermine passkey security<\/li>\n<\/ul>\n<\/div>\n<h2>Distinguishing Related Terms<\/h2>\n<p>FIDO2 is the umbrella term for two components. WebAuthn is the W3C specification that enables browsers and services to create and verify credentials. CTAP governs the communication between the client and the authenticator, such as a security key. A passkey is the resulting credential.<\/p>\n<p>What fundamentally distinguishes the passkey from a classic second factor is that one-time codes via SMS or authenticator app remain phishable because they can be intercepted and forwarded in real time. A hardware key such as a YubiKey, on the other hand, is not opposed to a passkey: It serves as a storage location for device-bound passkeys and additionally provides manufacturer attestation for high security requirements.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>What happens if a device is lost?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Synchronized passkeys can be restored via the Credential Manager on a new device. For device-bound passkeys, a backup key or a recovery process with the service is required.<\/p>\n<\/details>\n<details>\n<summary><strong>Are Passkeys more secure than passwords plus MFA?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Yes, against phishing. One\u2011time codes and push confirmations can be intercepted via real\u2011time relays, and a passkey simply fails to generate a signature on a foreign domain. The FIDO Alliance therefore rates a passkey higher than a password plus a traditional second factor.<\/p>\n<\/details>\n<details>\n<summary><strong>Do Passkeys work everywhere?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">All common operating systems and browsers support it, logging in via a second device works via QR code and Bluetooth proximity verification. Each service must offer WebAuthn itself, and many still don&#8217;t.<\/p>\n<\/details>\n<details>\n<summary><strong>How does a passkey differ from a YubiKey?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The passkey is the credential, and the YubiKey is a physical storage location for it. Hardware keys keep passkeys device-bound and provide attestation, suitable for environments where only a single copy of the key is allowed.<\/p>\n<\/details>\n<details>\n<summary><strong>Can passkeys be transferred to another provider?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Within an ecosystem like iCloud or Google Password Manager, synced passkeys automatically migrate. Direct export between different providers is only partially possible so far, and device-bound passkeys cannot be copied.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/07\/passkeys-in-the-enterprise-the-end-of-the-password\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/passkeys-unternehmen-passwortlos-cover-hero-1-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Passkeys in the Enterprise: The End of the Password<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/15\/adaptive-mfa-nis2-audit-policy-proof-conditional-access\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/adaptive-mfa-audit-policy-proof-conditional-access-cover-en-hero-2-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Adaptive MFA in the NIS2 Audit: When the Policy is Suitable as Proof<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/10\/security-awareness-the-click-rate-measures-the-wrong-thing\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/security-awareness-the-click-rate-measures-the-wrong-thing-cover-en-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Security Awareness: The Click Rate Measures the Wrong Thing<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/07\/06\/eight-minutes-to-aws-admin-how-an-open-s3-bucket-and-an-admin-lambda-were-all\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-aws-admin-acht-minuten-s3-bucket-lambda-21700787.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Eight Minutes to AWS Admin: How an Open S3 Bucket and an Admin Lambda Were All It Took<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/ai-action-month-cyber-analytics-for-smes-without-it-teams\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-mai-aktionsmonat-was-kostenfreie-ki-cybe-31405833-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">AI Action Month: Cyber Analytics for SMEs Without IT Teams<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/en\/ciso-compliance-under-nis2\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ciso-compliance-under-nis2-67286561-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Managed Security Services: CISO Does Not Bear Sole Liability<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Passkeys explained: how passwordless FIDO2 logins work, why they block phishing attacks, and how to make the switch seamlessly.","protected":false},"author":25,"featured_media":21801,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"passkey","_yoast_wpseo_title":"What Is a Passkey? Definition, How It Works, and Standards","_yoast_wpseo_metadesc":"Passkeys explained: how passwordless FIDO2 logins work, why they prevent phishing, and steps to adopt them effortlessly.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ein-passkey-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ein-passkey-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[263],"tags":[],"class_list":["post-21830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheitslexikon-en"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":21791,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=21830"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21830\/revisions"}],"predecessor-version":[{"id":21836,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/21830\/revisions\/21836"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/21801"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=21830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=21830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=21830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}