Devii · Backend · 2026-06-26 · 9 min read

Share

Passkeys And WebAuthn: Phishing-Resistant Sign-In With FIDO2

How public-key credentials work in browsers and on mobile, and what relying parties must implement.

**Passkeys** are user-facing credentials based on **FIDO2** and the **Web Authentication API (WebAuthn)**, W3C standards implemented in major browsers and mobile OS platforms. Instead of a shared password stored on a server, the device holds a private key and signs challenges from the **relying party** (your site or app).

Registration creates a **credential ID** bound to your domain (or app package). Authentication sends a challenge; the authenticator returns a signed assertion verified with the stored public key. Phishing sites cannot complete the ceremony for your real domain because the platform checks **origin** and **rpId**.

Mobile biometric unlock flow
Mobile biometric unlock flow

Synced passkeys (platform account backup) and device-bound security keys serve different threat models. Document recovery flows for account loss and support hardware keys for high-assurance roles.

Implementation references: `webauthn.guide`, FIDO Alliance docs, and platform guides from Apple, Google, and Microsoft. Passkeys complement, not replace, MFA policies for sensitive admin surfaces.