IT Glossary

Passkey

A passkey is a phishing-resistant credential that replaces passwords using FIDO2 and WebAuthn. Learn how passkeys work and why adoption is accelerating.

June 8, 2026

A passkey is a phishing-resistant digital credential that replaces a password, based on the FIDO2 and WebAuthn standards. It uses public-key cryptography: a private key stays securely on the user's device while the matching public key is registered with the service. The user authenticates with a biometric or device PIN, and no shared secret is ever transmitted, which makes passkeys resistant to phishing and credential theft.

How passkeys work

During setup, the device generates a key pair for the service.
The private key never leaves the device (or its secure cloud sync), and the public key is stored by the service.
At login, the service sends a challenge.
The device signs the challenge with the private key after a biometric or PIN check.
The service verifies the signature with the public key and grants access.

Examples and use cases

An employee registers a passkey for the company IdP, then signs in across connected apps with a face scan, no password and no separate code. Because passkeys are bound to the legitimate domain, a fake login page cannot capture anything reusable. The governance angle for IT is the same as for any credential: knowing which identities and devices are enrolled, and ensuring offboarding revokes them cleanly.

Passkey vs password

Passkey vs Password

Dimension	Passkey Recommended	Password
Secret shared with server	No — public key only	Yes (hash of the secret)
Phishing resistance	Strong, domain-bound	Weak
User action	Biometric or PIN	Typing and recall
Reuse risk	None	High

Related concepts

Passwordless Authentication and Multi-Factor Authentication (MFA)
Single Sign-On (SSO)
Live article: Trends in identity and access management for 2025 and beyond
Live solution: Corma for IT teams

FAQ

Is a passkey the same as a password manager?

‍No. A password manager stores passwords. A passkey replaces the password entirely with a cryptographic key pair.

Are passkeys phishing-resistant?

‍Yes. A passkey is bound to the legitimate domain and never reveals a reusable secret, so fake sites cannot capture usable credentials.

Can passkeys sync across devices?

‍Yes. Many platforms sync passkeys securely through the user's account, while hardware keys keep them device-bound for higher assurance.

Corma gives IT and security teams visibility and control over identities across every connected app. Explore Corma for IT teams or request a demo.