AccueilGlossaire › Passkey (Passwordless Credential)

Passkey (Passwordless Credential)

Identité

Credential WebAuthn syncronisée cross-devices, remplaçant les mots de passe.

Passkeys sont l'évolution UX-friendly de FIDO2/WebAuthn lancée en 2022 par Apple/Google/Microsoft (collaboration FIDO Alliance) — credentials cryptographiques synchronized across devices via password managers cloud (iCloud Keychain Apple, Google Password Manager, 1Password, Dashlane, Bitwarden). Remplacent passwords avec better security ET better UX.

Mécanisme :
(1) User registers passkey on website/app → private key generated dans device secure element (Apple T2/Secure Enclave, Android StrongBox, TPM Windows).
(2) Private key encrypted (with user's iCloud/Google account) et synced to other devices of same user.
(3) Login from any synced device : Touch ID/Face ID/Windows Hello → unlock passkey → sign challenge → authenticated.
(4) Cross-device login via Bluetooth QR code (Hybrid Transport) — show QR on desktop, scan with phone, phone unlocks et signs.

Vs traditional WebAuthn (device-bound) : (1) Passkeys synced ; convenient but cloud-trusted ; (2) Device-bound (e.g. YubiKey) — never leave device, more secure but require backup keys. Trade-off security vs UX. Passkeys synced sufficient for vast majority of consumer scenarios.

Force vs Passwords :
(1) **Phishing-resistant** — origin binding prevents fake site stealing.
(2) **No breach risk** — server stores only public keys, useless if leaked.
(3) **No reuse** — unique per site automatically.
(4) **No typing** — biometric instant.
(5) **Cross-device** — work on phone, tablet, laptop seamlessly.
(6) **Strong by design** — long entropy keys, can't be "weak".

UX flow user-facing : (1) Sign up : "Create passkey" → Touch ID prompt → done ; (2) Sign in : email entered (or autofill) → Touch ID → done ; (3) New device : sign in → "Use phone to authenticate" QR → scan → Touch ID on phone → desktop authenticated.

Adoption majeure 2024 :
- **Apple** : iCloud Keychain passkeys depuis iOS 16. Apple ID passkey support.
- **Google** : Google Password Manager passkeys depuis Android 14. Google account passkey default for new signups 2024.
- **Microsoft** : Authenticator app passkeys 2024.
- **Services** : GitHub, Adobe, eBay, Best Buy, Coinbase, PayPal, Robinhood, Shopify, Stripe, TikTok, Uber, WhatsApp, X/Twitter.

Limitations actuelles : (1) cross-ecosystem sync limited (Apple ↔ Google not synced direct) — use 3rd party password manager pour cross-platform ; (2) account recovery if locked out of password manager challenging ; (3) elderly/non-technical users curve. Mais trajectoire claire : passwords becoming legacy. Compétences SC-300, Security+.

Certifications qui couvrent ce concept
SC-300 AZ-500 Security+
Termes liés
FIDO2 (Fast Identity Online 2) WebAuthn (Web Authentication API) MFA (Multi-Factor Authentication) MFA Bypass

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire