SnapAuth

Passkeys for your app. In a snap.

Get Started

How WebAuthn and passkeys work

SnapAuth is based on the Web Authentication (WebAuthn) standard. It offers enhanced security features compared to traditional sign-in methods like passwords and one-time codes, while also improving user experience.

For more about how we protect your data, read Security at SnapAuth.

Passkeys and WebAuthn—what's the difference?

WebAuthn is the protocol and set of APIs that allow using public-key cryptography to authenticate online. It allows a credential (specifically, an asymmetric keypair) to get registered on a service and verify signatures. On the web, this is under navigator.credentials and PublicKeyCredential; iOS uses ASAuthorization and Android leverages Credential Manager.

Passkeys are a specific way to use WebAuthn. They are credentials managed by devices, operating systems, and browsers. They offer cross-device synchronization and include dedicated user interfaces for secure usage, often relying on on-device biometrics for protection.

WebAuthn (and SnapAuth) supports other types of credentials, such as external hardware keys like YubiKeys.

In user interfaces, "passkey" is the preferred term for presentation to users.

Adding a passkey

When a user signs up for your site (or wants to add a passkey to their existing account), a cryptographic keypair is generated. The private key remains on the user's system, managed by the operating system, trusted platform module, or a physical hardware security device. The public key is sent to the browser APIs and stored by the service.

Each keypair is bound to the domain that it was created for, so most phishing attacks are impossible. And since the service only ever receives a public key, it being revealed is completely harmless. Should a data breach ever occur, the service has no important authentication data to leak.

Signing in with a passkey

During sign-in, the service generates a one-time-use challenge, which is cryptographically signed with the user's private key, along with additional data like the domain. The service verifies the signature using the previously-stored public key.

Successful verification provides cryptographic proof of the user's access to the corresponding private key, ensuring secure authentication. This process includes a "test of user presence" and optional user verification, typically enabled for biometric-enabled devices.

Passkey authentication can offer two-factor authentication in a single step, enhancing security while providing a faster and smoother user experience compared to traditional passwords.

No new software required

Users don't need to install any new apps to benefit from this - it's built in to the browsers and operating systems they're already using. This seamless integration allows for use on the web and within existing applications, eliminating the need for password managers or separate authentication apps.

They stay on your website or in your app, and the technology gets out of their way.

Try it today

While the concepts of public-key cryptography and digital signatures may seem complex, they form the cornerstone of internet security, offering robust protection and widespread adoption.

If this all sounds like a lot, SnapAuth is here to help. We take care of the hard parts for you, so you can continue focusing on what you care about most.

Sign up for free