What are "passkeys" and how do they reduce reliance on phone numbers for authentication?

[muskanhossain]

Passkeys are a new, more secure, and user-friendly alternative to traditional passwords, designed to replace them entirely and significantly reduce reliance on other authentication factors, particularly phone numbers for SMS-based One-Time Passwords (OTPs). They are built on open standards developed by the FIDO Alliance (Fast IDentity Online) and use public-key cryptography.

How Passkeys Work:
Instead of a memorable string of characters (password) or a code sent to your phone, a passkey involves a cryptographic key pair:

Creation: When you create a passkey for an online service, your device (e.g., smartphone, laptop) generates a unique pair of cryptographic keys: a public key and a private key.
The public key is sent to and stored by the online service (e.g., Google, Apple, Microsoft, or any website supporting passkeys). This key is harmless if compromised.
The private key (the actual "passkey" secret) is securely stored on your device's hardware, often within a secure enclave (like a Trusted Platform Module or secure element in a phone's processor) and never leaves your device.
Authentication: When you want to sign in:
The service sends a unique "challenge" to your device.
Your device uses its stored private key to cryptographically sign switzerland phone number list this challenge. This process requires you to unlock your device using your familiar method (fingerprint, face recognition, PIN, or pattern).
The signed challenge (not your private key) is sent back to the service.
The service uses your stored public key to verify the signature. If the signature is valid, it confirms that the request came from your legitimate device, and you are authenticated.
This entire process happens securely in the background, often taking just a tap or a glance.

How Passkeys Reduce Reliance on Phone Numbers for Authentication:
Passkeys directly address the vulnerabilities and inconveniences associated with phone number-based authentication methods like SMS OTPs, thereby significantly reducing the need for them:

Elimination of SMS OTPs: The most direct impact is the removal of the need for an SMS OTP as a second factor. Passkeys provide a phishing-resistant, cryptographically strong authentication method that can often act as a standalone primary authentication factor, inherently incorporating a "something you have" (your device with the passkey) and "something you are/know" (your biometric or PIN to unlock the device). This makes the separate sending of an OTP to your phone number redundant for many authentication flows.

Resilience to SIM Swap Attacks: SMS OTPs are highly vulnerable to SIM swap fraud. If an attacker manages to port your phone number to their SIM, they can intercept all incoming SMS, including OTPs for your bank accounts or other services. Passkeys are tied to your specific device's secure hardware, not your phone number. Even if your phone number is SIM swapped, the attacker won't have access to the private key stored on your original device, making it impossible for them to authenticate using your passkey.

Resistance to Phishing and Smishing: Attackers often use phishing websites or smishing (SMS phishing) to trick users into entering their passwords and then their SMS OTPs. Passkeys are inherently phishing-resistant because they are tied to the specific website or application they were created for. Your device (browser or operating system) will only offer to use a passkey for the legitimate site. You cannot be tricked into using your passkey on a fake website, as the cryptographic exchange will fail. This bypasses the most common vectors for stealing phone number-based OTPs.

No Network Dependence for OTP Delivery: SMS OTPs require reliable cellular network connectivity. If you're in an area with poor signal, or if there's a network issue, you might not receive the OTP, locking you out of your account. Passkeys rely on your device's internal capabilities and internet connectivity for the initial communication with the service, but the core authentication (unlocking the passkey) happens locally on your device, not via an SMS network.

Enhanced User Experience: Beyond security, passkeys offer a much smoother user experience. Users no longer need to remember complex passwords or wait for an SMS code to arrive, reducing login friction and improving overall usability.

Major technology companies like Google, Apple, and Microsoft are actively pushing for the adoption of passkeys across their platforms and services. As more websites and applications implement passkey support, the reliance on phone numbers solely for authentication (especially via SMS OTPs) is expected to significantly decrease, leading to a more secure and convenient digital authentication landscape.