How Passkeys Work, and Why They Kill the Oldest Scam Online
somewhere right now someone is typing a password into a page that is not the page they think it is. the letters look right, the logo is right, the little padlock in the address bar is even there. they hit enter, and the secret lands in a stranger’s hands. this has happened more times than anyone can count, and it is the shape of almost every bad day online, the drained wallet, the leaked photos, the company that emails to say sorry.
all of it traces back to one fragile idea, a secret a person has to know and has to send across the internet every time they want to prove who they are. now, quietly, on phones and laptops everywhere, that idea is being retired. a button, a fingerprint, a glance at the screen, and the door opens. the strange part is that the whole reason it is safer is a secret the device holds and never sends to anyone.
the secret that was always going to leak
the password was doomed from the start because it is a shared secret. the person knows it and the service knows it, so the service has to store something to check it against, and the person has to send something over to prove themselves. that creates two permanent weak points. the company can be breached and the stored secrets spill out by the million. or the human can be tricked into typing the secret into a fake page that looks exactly like the real one.
both happen constantly, at a scale most people never see. the entire account takeover economy runs on one fact, a secret that can be typed is a secret that can be fooled or stolen out of a person. the shape of the idea was the problem, and no amount of length or extra rules was ever going to fix it.
a padlock and the only key that opens it
here is what replaces it. instead of one shared secret both sides know, the device creates a pair of mathematically linked keys, one public, one private. the public key is like a padlock that can be handed out freely. the private key is the only thing that opens it, and it never leaves the device.
when a passkey is created for a site, the device keeps the private half sealed away and gives the site only the public half, a padlock and nothing more. a padlock on its own is useless to a thief, because there is no working backward from the lock to the key. so even when the company is breached, there is nothing in their files worth stealing. the secret that matters was never theirs to lose.
proving it without revealing it
so how does anyone log in without sending a secret across the wire. when a person returns to the site, it sends their device a fresh random challenge, a puzzle never used before and never again. the device uses the private key, the one that never left, to sign that puzzle, and sends back the signature, not the key.
the site checks the signature against the public padlock it already holds, and the math only works out if the puzzle was signed by the one matching private key. the holder has proved they possess the secret without ever revealing it. and because the challenge is brand new every time, a signature captured by someone watching the network is worthless a moment later. the prize is simply not on the wire anymore.
why the fake page stops working
the classic attack on the internet is the fake page. an attacker builds a perfect copy of a bank’s login screen, lures someone there with a convincing message, and the moment the password is typed it lands straight in their hands.
passkeys break this in a way a human never could. a passkey is bound to the real site’s actual address, and before the device signs anything it checks who is genuinely asking. if the page is a look alike sitting on a different address, even one off by a single character, the math refuses to run. there is no secret to be tricked into copying, because there is no typeable secret at all.
the deeper point is where the boundary moved. with a password the human is the boundary, and a human can always be tricked. with a passkey the device is the boundary, and it checks one cold fact, the exact address asking for proof. a chip cannot be flattered, hurried, or scared. an attacker would have to break the underlying math or steal the opened device, both far harder than one more fake login page. that single property removes the most successful attack on the internet.
where the key actually lives
so where does this private key physically sit. on modern devices it lives inside dedicated secure hardware, a small protected corner of the chip that the rest of the system, and the apps running on it, cannot freely read. the only way to open it is the same gesture that already opens the device itself, a fingerprint, a face, a screen code.
and here is the subtle part. that gesture never travels. the fingerprint is not sent anywhere, it just releases the local key, right there on the device. the biometric stays on the phone, the key stays on the phone, and only a short signed proof ever leaves. that is why a breach on the far side of the internet cannot touch the key. there is nothing remote to break into.
the sync tradeoff
now a fair worry. if the key only lives on one device, what happens when it falls in a lake, or gets stolen, or is replaced. many passkeys today are synced, copied in encrypted form through the account that ties a person’s devices together, so a new phone can quietly inherit them.
that is convenient, and for most people the right trade. but it moves a slice of the trust onto whoever runs that sync. the copy is encrypted, but the platform now sits somewhere in the chain. there is also a stricter version, where the key never leaves a single piece of hardware, chosen by those who want maximum assurance and accept no easy backup. syncing is a deliberate choice with a real trade behind it, not a free lunch.
what a passkey does not hide
here is the boundary worth stating plainly, because it is so easy to overclaim. a passkey makes a person almost impossible to phish, and it removes the password as a thing that can be stolen from a database. it does not make anyone anonymous. the moment someone signs in with one, they have told that service exactly who they are. that is the entire point of logging in.
a passkey proves the right person is at the door. it does not hide that the door was used, or who walked through it. all the tracking, the device fingerprinting, the profiling this channel takes apart constantly still applies to a signed in account. passkeys were never trying to solve the privacy problem, and confusing the two leads people to trust a passkey for a safety it does not provide.
the recovery soft spot
the people who study this for a living point to one honest weakness, and it is not the cryptography, which is rock solid. it is recovery. if someone loses every device they own, the system still needs some way to let the real person back in, and that fallback path instantly becomes the softest part of the whole design.
if it quietly drops back to a texted code, or a link sent to an email account protected by an old password, then an attacker who compromises that one weaker channel has found a way around the strong key without ever touching it. this is the pattern across all of security. the strong front door is almost never the way in. it is the side door, the forgotten window left open out back. that is where careful defenders now spend most of their attention.
phishing did not die, it moved
so it pays to be clear eyed about what really happened. passkeys did not end fraud. they moved it. the attackers who used to harvest passwords now lean harder on recovery flows, on tricking people during the vulnerable moment of setting up a new device, on push fatigue, where a target is nagged with approval prompts until they finally tap yes just to make the buzzing stop.
when one door is sealed tightly, the pressure does not vanish. it flows, like water, to the next weakest opening it can find. the real value of a passkey is that it permanently closes the single most exploited door on the internet. the work that remains, and there is real work, is guarding the smaller doors clustered around it.
the secret finally stopped travelling
the deep change underneath all of this is quiet. for half a century, proving who you are online has meant taking something you know, sending it across a network you do not control, and hoping nobody grabbed it in transit or fooled you into handing it over. a passkey breaks that ancient bargain. the secret stays put, locked in the hardware in a person’s hand, and only a fresh, single use, otherwise useless proof ever leaves.
that is the shape this channel keeps finding. not one clean trick that settles everything, but a stack of imperfect pieces holding a line, a key that never moves, a proof that expires the instant it is used, and a cluster of smaller doors that still need watching. after decades of breaches and stolen logins, the password is finally being shown the exit, under a small button most people tap without a thought.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.