Are passkeys based on biometrics?

[00:00] Imagine this. [00:01] A user comes to your site and they're prompted to set up a passkey. [00:04] The next time they visit your site, they can sign in with just a tap of their finger or a scan of their face. [00:10] Does that mean that your site is now doing biometric authentication and handling biometric data? [00:15] No. [00:16] Let's talk about how passkeys really work and how biometrics is and isn't related. [00:25] Welcome to Passkeys Explained. [00:27] It's PassKeys week, and as part of that, we're really excited to be starting this new series where we answer some common questions about using and implementing PassKeys. [00:37] We'll be releasing a series of short videos like this one over the coming weeks, [00:40] So keep an eye out if you're keen to catch them all. [00:43] Today, [00:44] I want to explain the basics of how passkeys work and how biometrics work alongside them to provide extra security. [00:51] But first... [00:52] What even is a passkey? [00:54] It's like a password, but better. [00:57] You can use it to log into your favorite sites and apps, just like with a password, but in a safer and easier way. [01:03] Under the hood, it's a public-private key pair. [01:07] Now, unlike with passwords, you don't need to choose between remembering a passkey or saving it somewhere. [01:12] It's generated for you and is always unique for every site you use. [01:17] The passkey is always stored on your behalf and then retrieved when necessary. [01:22] It can be stored in a Passup Manager, on your device, [01:25] or on a physical security key, and the best part is you get to choose which. If you're not sure what to choose, we strongly recommend a password manager that syncs your password keys to all of your devices like Google password manager.

[01:37] When you go to sign in, you'll often be prompted to prove it's really you. [01:41] This can be with your fingerprint, face or a screen lock. [01:45] It's important to know that your biometrics, like your fingerprint or face, never leave the device and aren't shared with the website. [01:51] This check is happening entirely locally and is something that the Parsub Manager is requiring before it accesses the passkey to help you sign in. [01:59] This provides an additional layer of security on top of the passkey, making sure that nobody else can sign in as you, [02:05] even if they have access to your device. [02:07] So if biometric data isn't being sent around, what is? At a technical level, a passkey is a term we use to refer to the private key of a public-private key pair created for a specific combination of a website and account. [02:22] Once the password manager is sure that it's you, it doesn't send the password key to the website. [02:27] Instead, it does a calculation with the passkey and sends the result to the website, proving that it has the right passkey. [02:34] Remember that pass keys are really public private key pairs. So the pass up manager is just using the private key to sign a payload that gets sent to the website. [02:43] The website can use this payload and the associated public key to finish the sign-in. To reiterate, the passkey and biometric data never left the device. [02:52] Users can rest assured that there's no risk of biometric data being leaked, sold for profit, or being used to track them. [02:59] To summarize, biometric authentication is only a small part of using passkeys, and there are even cases where it isn't involved at all. [03:07] Public Key Cryptography is the real champion and deserves the credit for the benefits Passkeys can provide.

[03:14] To find out more about Passkeys Week, check the link in the description. [03:18] Thank you.