Devii · Backend · 2026-06-26 · 9 min read
Passkeys And WebAuthn: Phishing-Resistant Sign-In With FIDO2
How public-key credentials work in browsers and on mobile, and what relying parties must implement.
**Passkeys** are user-facing credentials based on **FIDO2** and the **Web Authentication API (WebAuthn)**, W3C standards implemented in major browsers and mobile OS platforms. Instead of a shared password stored on a server, the device holds a private key and signs challenges from the **relying party** (your site or app).
Registration creates a **credential ID** bound to your domain (or app package). Authentication sends a challenge; the authenticator returns a signed assertion verified with the stored public key. Phishing sites cannot complete the ceremony for your real domain because the platform checks **origin** and **rpId**.
Synced passkeys (platform account backup) and device-bound security keys serve different threat models. Document recovery flows for account loss and support hardware keys for high-assurance roles.
Implementation references: `webauthn.guide`, FIDO Alliance docs, and platform guides from Apple, Google, and Microsoft. Passkeys complement, not replace, MFA policies for sensitive admin surfaces.