Passkey Garden

More questions about this stuff? Read on.

• What is this garden?
• What are passkeys?
• OK, but how are they actually more secure?
• Do I have to re-setup passkeys on each device!?
• Can I synchronize/share my passkeys between DIFFERENT password managers?
• Isn't there already an "official" icon for passkeys?
• Why not ___ for an icon?
• I'm a developer, how can I use passkeys?

---

• What is this garden? 🔗 ▲

  This tool is a simple playground to explore possible improved branding/UX around biometric passkey (FaceID, TouchID, etc) authentication for web sites/apps.

  You can think of this site as a living style-guide for passkeys.

  The icons (A, B, etc) shown are candidates for a single unified icon to represent passkey account registration and login. We, the community, should decide what icon we want to standardize on. Your input is welcomed!

  The ideal icon will feel universal, render well in various sizes and color schemes, promote security/trust, and adequately communicate to all (even non-technical folks), whether they've used Face ID, Touch ID, or other similar biometric factors to unlock their devices.

  But this site is about more than icons. The goal here is collectively decide on best-practices for the entire experience of passkeys, including their design, text -- heck, even the name "passkeys". Eventually, this garden should stabilize as the style guide we can all aim to standardize on.

  This can't be dictated to the community. We can't just say, here's the icon, here's the text, etc. We all need to participate and help in the decision making. This site kicks off that community-wide discussion, instead of leaving it to specification groups or vendors to decide for us.

  Why "Garden"? Put simply, the style customization experience here is inspired by the design customization of CSS Zen Garden.

• What are passkeys? 🔗 ▲

  Passkeys are the next-generation standard for logging in -- no passwords, no hassle.

  Just like you unlock your device with your face or fingerprint, passkeys let you do the same to log into websites and apps -- same security and trust, just expanded to more places.

  • Stronger security – Passkeys can't be stolen, guessed, or phished.
  • Faster login – A single click + your fingerprint or face = instant access.
  • No more passwords – No typing, no remembering, no frustration.

  Big players like Apple, Google, and Microsoft are already backing passkeys as the future of login security. You've probably already used them without realizing it!

  Want to learn more? Apple on Passkeys | Google on Passkeys

• OK, but how are they actually more secure? 🔗 ▲

  Technology always claims it's able to solve our security issues. But in the end, the weakest link is always the human, because:

  • we can all too easily be tricked (aka, phished!), by sophisticated scammers that make a site that looks just like our bank, AND construct a very plausible looking domain/URL that convinces you it must be your bank. And then there's the social engineering of them calling you on the phone and pretending to be customer support, and sending you an SMS code you need to share with them, and... blah blah. It's a never-ending string of social engineering hacks so they don't even have to steal our secrets, we just willingly give them over, because... we're sheep.
  • we are lazy, and unsophisticated, and annoyed by password fatigue, so we just come up with one good password (or maybe even a not so good), and we reuse it over and over again.
  • we choose convenience over security, every single time. we only "pick" security when there's no choice and it's forced on us.

  So, why on earth are passkeys going to be any different? Is this just another vendor lock-in hype cycle?!?

  Nope, passkeys really ARE the solution to all this mess. They really are the future. They really are phishing proof. But how?

  Two key things about passkeys that maybe you didn't know...

  1. Even if a scammer tricks you into believing you should give away your account credentials secrets to them, it's truly impossible for you to do so. Even if you really want to give them the secrets, you can't.

     Passkeys hide the actual secret in a very secure place on your device, that even YOU can't get into (nor can the police or anyone else!). It's a secure system where the secret goes in once, and NEVER comes out. It's a security black box.

     Passkeys shift the security/trust mechanism from the server to the client. The server doesn't need your secret to let you into your account. It only needs to know for sure that you can still use (but not share!) your secret.

     The server asks a question (a challenge), and the client asks the user to prove who they are with biometrics (Face, Fingerprint, etc). Once the biometric factor is provided, the question/challenge is sent into the black box, and your secret is used to create an answer (a signature) that only your secret could provide, using special math called "public-key cryptography". No, that's NOT the "cryptocurrency" (Bitcoin, etc) you've heard of!

     That answer/signature is sent back to the server, which matches it up to the question/challenge it asked. When they match, you're let into your account. Boom, that's it!

     And the important part is, that answer/signature is of no use to anyone except the actual server that asked the question. Even if a scammer/hacker got ahold of an answer/signature, they can't reuse it later, and they can't use it anywhere else. It's one-time and locked to only where the question/challenge came from. They can't generate any new answers/signatures from it, because the math is one-way (can't be reversed).

     Again, put simply: the scammer/hacker can't get your actual secret because even you don't have access to your secret to give it to them. Your secret is hidden, and can only be used by your device, if your biometric factor matches. This is about as secure as it gets.

  2. Now, the second piece of the puzzle. You create this secret and store it securely on your device. But what if you get tricked into trying to use this secret by a "man in the middle" attack, where another server shows you a site that looks exactly like the site you want to login to? Can't they then piggyback off your legitimate session and do nefarious things in the background while you do your legitimate stuff?

     Again, nope! You're safe. The passkey secret you create is absolutely locked to the same origin (domain name, port, protocol, etc), and can never be used for any other origin, no matter how much it might look like the same.

     No matter how tricked you as a human may be, your browser/device will never let you use your passkey on a different site than you initially registered with. Period. Unlike passwords, passkeys are locked to origins, so a scammer/hacker cannot come along and sneak in between later.

     Oh, but... what about the scammer/hacker that tricks you from the very beginning? If they are the middle man all along, they have you completely compromised, right?

     Again, nope. When a server is registering the passkey the first time, the origin used when the client prompts the user for their passkey registration, is *locked* into the passkey, and will be locked into every answer/signature the client ever gives back to the server.

     In short, the server can always tell if an attacker is in the middle, and reject, even from the very first time you sign up. Your bank would never allow such an attack to proceed.

  In short, passkeys are full protection for your account security, even if you yourself don't act very secure!

• Do I have to re-setup passkeys on each device!? 🔗 ▲

  When you register an account using a traditional password, you can usually login to that account immediately, from any device, as long as you remember and enter that password. That's clearly a desired and expected convenience!

  So how does this work in the world of passkeys, since they seem to be more locked to each specific device?

  The SHORT ANSWER is: by default you DO have to duplicate setup of each new passkey, on each device you use. This is the most secure approach, but it does require a bit more upfront effort to use your passkeys cross-device.

  But the good news is, providers like Google, Apple, and even popular third-party password managers allow a form of passkeys that can be synchronized to your different devices, via providers' cloud servers. However, there are some tradeoffs to this approach.

  Want the LONGER, DETAILED ANSWER?

  At its core, passkeys shift the burden of ensuring user identity and authentication from the server (checking a password) to the client device (prompting the user for their biometric factor). For security reasons, that does mean that inherently, passkeys are per-device.

  If someday you have 50 different online accounts setup with passkeys, and you want to access all those accounts from each of your three devices (phone, tablet, laptop), YES, you will have to setup 50 account passkeys on EACH device, meaning you'll have to setup 150 unique passkeys.

  That might not sit well with you. Think about the extra effort it will require on your part. You might immediately recoil in dislike of that prospect.

  Now, reality check: passkey setup is generally one or two clicks, plus showing your face or fingerprint. It's really not much, and only takes a few seconds. It's usually far quicker than traditional password-based account setup.

  That said, most people will not be enthusiastic about repeating account passkey setup on each of their devices.

  Per-device passkeys are the new gold standard for account security, but there's no question that it will be a bit less convenient in the multi-device setup scenarios. That friction is a necessary difficulty from a security perspective. But as pointed out above, when given the choice between convenience and security, most everyone chooses convenience, most every time.

  So what do we do? Swear off passkeys and go back to insecure passwords?!?

  Google and Apple know this reality, accutely. And since these two companies control the vast majority of devices (especially mobile), and indeed the two largest software ecosystems in the world, they're in a meaningful position to strike a robust balance between security and convenience. So they've moved forward with a compromise.

  Google (via Android, and the Chrome browser) provides the Google Password Manager. You've likely already used it to store your passwords, credit cards, and other personal info, all conveniently cloud-synchronized to all your devices. And Apple's iCloud Keychain does the same thing for all your iOS devices.

  Both of these mechanisms now support setting up and synchronizing passkeys across your devices, in much the same way.

  Honestly, that's fantastic news! The security of passkeys, with the convenience of automatic cross-device synchronization. Win-win!

  Of course, it is a compromise. Such passkeys are able to be synchronized cross-device because they aren't actually stored in the securest parts of the device/OS, as per-device passkeys are. These synchronized passkeys basically use Google's or Apple's servers as the "secure device authenticator".

  Google and Apple both say that they store this secret information in a secure way. They don't actually store any of your biometrics on their servers. They use your biometrics locally on your device, to encrypt your secret, and then store that encrypted information both on your device and on their servers.

  So to be clear: ONLY YOU can only "unlock" and use that secret info, if you present your biometric factor on your device. They can't do anything with your encrypted secrets without your intervention. They're only holding the encrypted information for you -- a concept known as Zero-Knowledge Encryption.

  But yeah, they're storing some meta information, like what site and username/email you used to setup each passkey. Is that "tracking" you? A little bit, yes. Certainly more so than if you used a per-device passkey without any cloud synchronization (and thus no tracking).

  And, a lesser but not unimportant concern is, you cannot use these passkeys locally on your device without a connection to the respective cloud service (Google or Apple). If those were ever down or unreachable, or you were locked out of your cloud account for some reason, your access to your own passkeys (for all your other accounts) is blocked.

  You should think very carefully about how you feel about this compromise. There's no "free lunch" here. Your account security is important, and passwords are no longer a sufficient and durable system for protection. Passkeys are the better solution. But with that extra security, there's a choice to be made: are we going to take our own responsibility (and effort), or are we going to choose the convenience and offload that to Google or Apple?

  We can't make that choice for you. That's up to you. But at least you're more well-informed now, so your choice will be be more responsible and appropriate.

• Can I synchronize/share my passkeys between DIFFERENT password managers? 🔗 ▲

  As mentioned in the previous question, passkeys can be synced through Google Password Manager and Apple's iCloud Keychain. But what about exchanging my passkeys across these ecosystems? And what about using other password managers?

  This is an emerging field, so information is subject to change. But, the good news is, the main players in this space are indeed working on this capability. In particular, the FIDO alliance is working on a set of specifications for credential exchange, where you will have more portability and interoperability of your passkey synchronization.

  If this is an area you're specifically interested in, you might consider getting involved by providing feedback on those draft specifications.

  Popular third-party password managers, such as Bitwarden, 1Password, and Dashlane, are all actively engaged in adding passkey support, and including passkey synchronization and exchange capabilities. Of course, the same concerns shared in the previous section, about the tradeoffs of the security/convenience compromise, apply. Think carefully about this choice.

• Isn't there already an "official" icon for passkeys? 🔗 ▲

  Eh, kinda, but not really. The FIDO Alliance has an icon they claim to be official for passkeys, and indeed it's used (and remixed/re-interpreted) in various places .

  However, FIDO's icon is trademarked, and has some fairly strong guidelines/requirements for its usage. As far as we're concerned, that's not best for widespread adoption.

  Also, we feel design-wise that icon is lacking -- it reads as "my body is the key" -- and that doesn't promote the ideal balance of clarity and trust, especially for non-technical folks.

  Ideally, a good icon for this purpose will fit people's typical mental model of what's happening. When non-technical folks are asked about unlocking their device with their face or finger, they don't typically think something like, "my body's unique biologic characteristics are the key that unlocks the device". Yes, that's literally what's happening, but it's not how people think about it.

  Instead, they tend to think of it more like, "my device recognized me and unlocked". The "device recognized me" semantic is a much stronger design inspiration than "my body is the key".

  We should lean in that direction when designing a universal icon for passkeys, since we want everyone to feel more naturally trusting of the mechanism.

• Why not ___ for an icon? 🔗 ▲

  There's already been quite a few ideas on icons for this purpose. We're grateful for all ideas, but not all ideas are suitable for the goals here.

  Why not an icon with ONLY a fingerprint? Because a lot of users have newer iOS devices that only use Face ID, and many have never used their fingerprint to unlock their device! Similarly, many Windows users have only ever used Windows Hello (e.g., Face ID). But by contrast, millions of Android users have only ever unlocked their devices with their fingerprint (aka Touch ID).

  Further, it seems a commonly held impression of many (especially younger) iOS users, that "fingerprint" unlock is only on "older" iOS devices, since Apple used to have TouchID and later switched exclusively to FaceID. We should be wary of leaning on an icon design that evokes this negative ("older") emotion.

  The point? We need an icon that NEITHER assumes only fingerprint or face.

  FIDO notably skips both in their icon -- instead using a generic key and a head/shoulders profile -- but... we think we can do better.

  Also, clever ideas, such as an oval with one half side as a fingerprint and the other half side as a face, seem really good conceptually, but in execution lack legibility or recognizability when the icon is rendered small (under 30px square).

  Icon design is a really tricky skill & art. It's much harder than logo design!

  If you have ideas you think will execute better on the goals and vision here, please let us know! Preview your icon by uploading to the garden (only in browser), and then share screenshots with us of what it looks like. Your icon might just be chosen by the community as the preferred standard!

• I'm a developer, how can I use passkeys? 🔗 ▲

  Great question!

  More info coming soon. But for now, check these resources out:

  • Passkeys.com
  • Passkey Central
  • Passkeys.dev
  • WebAuthn.io
  • WebAuthn.me
  • Apple on Passkeys
  • Google on Passkeys