Why can't I use a pass key on a different device?

Pass keys are bound to a specific authenticator and client (context binding). You typically can’t move them between devices unless you use a portable authenticator (like a password manager) that travels with you.

Why are pass keys considered phishing-resistant?

Because each login uses a fresh, domain-bound token and the signature is tied to the originating site. If a phishing site tries to imitate a site, the domain/ RP ID mismatch prevents signing.

What happens if you lose your phone or laptop?

Losing the client or authenticator can be problematic; recovery often relies on a password or other backup, highlighting that pass keys aren’t a perfect, single-solution fix yet.

What are the roles RP, client, and authenticator?

RP (relying party) is the site you’re authenticating to; the client is your device/browser; the authenticator holds the private key and signs the token for verification by the RP.

What is context binding in pass keys?

Context binding links a pass key to a specific RP and client, ensuring a private key can only sign credentials for that exact site on that specific device.

Could pass keys completely replace passwords in the future?

It's possible, but not solved yet. Challenges include educating users and handling device loss and cross-ecosystem compatibility; the future remains open.

What user verification is required for pass keys?

Most implementations require user verification, such as a PIN or biometric, before the pass key can sign a token.

How Passkeys Work - Computerphile

Computerphile

Education3 min read20 min video

Dec 22, 2025|418,192 views|15,867|1,721

computers computerphile computer science

Save to Pod

Key Moments

TL;DR

Passkeys login via public-key crypto, no passwords; device loss still a risk.

Key Insights

Passkeys replace passwords with a private key held in an authenticator and a corresponding public key stored by the site.

The login flow uses RP (relying party), client, and authenticator roles to sign fresh tokens bound to a specific site.

Context binding and origin checks prevent cross-site reuse and phishing attempts.

Passkeys are not universally portable across devices and require user verification for security.

While they reduce many password problems, a complete replacement of passwords depends on broader adoption and recovery flows.

WHAT IS A PASSKEY?

Passkeys replace password prompts with a signed token produced by a private key you hold in an authenticator (your device, a security key, or a phone). The website stores the corresponding public key and challenges you to sign data each login. The signature proves possession of the private key without exposing it. Tokens are bound to a specific site, preventing reuse elsewhere and reducing phishing risks. The system also aims to simplify logging in by avoiding manual password entry.

PUBLIC-KEY CRYPTOGRAPHY AT A GLANCE

Public-key cryptography uses a pair of keys: a private key that only the user controls and a public key that can be shared. A signature created with the private key can be verified with the public key, proving ownership without revealing the private key. In the passkey flow, this signing replaces password verification and helps ensure that even if data is intercepted, it cannot be forged or replayed.

ROLES: RELYING PARTY, CLIENT, AUTHENTICATOR

Three components drive the flow: the relying party (RP) is the website or service you’re authenticating to; the client is your browser or device that communicates with the RP; the authenticator stores the private key and performs the signing operation. The RP hosts the public key, while the authenticator holds the private key, creating a modular system that can work with device-based, USB, or mobile authenticators.

HOW TOKENS ARE GENERATED AND BOUND

When you first set up a passkey, the RP asks your client to generate a key pair and to provide identifiers such as the RP ID (domain) and user details. The authenticator creates a new key pair, assigns a credential ID, and the RP stores the public key. During login, the RP sends a challenge; the client data includes origin information and a domain binding; the authenticator signs with the private key, producing a signature that the RP verifies using the public key.

WHY PASSKEYS MATTER

Passkeys address common password flaws: reduced risk of phishing and credential reuse, no need to type passwords, and resistance to simple credential stuffing. The mechanism prevents replayed tokens by requiring fresh challenges and incorporating origin data, so signs cannot be reused on different sites. Biometric or PIN verification can be used as an extra user check. Overall, passkeys aim to be easier and safer than passwords, potentially replacing them in the future.

CHALLENGES AND LIMITATIONS

A major hurdle is portability: a passkey tied to a single device or authenticator may not work on another device unless a portable or cloud-backed approach exists. Losing a device or forgetting access means recovery paths, often still relying on passwords, must be in place. Widespread adoption requires education and ecosystem support across browsers, OSs, and services. The video notes that while promising, passkeys are not yet a universal, drop-in password replacement.

Mentioned in This Episode

●Supplements

●Tools & Products

●People Referenced

Passkeys: Do's and Don'ts

Practical takeaways from this episode

Do This

Use pass keys on sites that support WebAuthn to reduce password reuse risks.

Enable user verification (PIN/biometrics) on your device before signing in.

Keep your authenticator and devices secure; back up credentials where feasible.

Avoid This

Don't rely on pass keys if you might lose both your device and authenticator without a backup.

Don't assume phishing is impossible—verify the site URL and domain binding before signing.

Common Questions

Pass keys replace passwords with public-key cryptography: a site sends a token, you sign it with a private key, the site verifies with the public key, and you’re granted access. This prevents password theft and reduces phishing exposure.