Passkeys (WebAuthn)
Passkeys are the most secure consumer-facing authentication that exists. They are also the easiest to use. That is rare — usually security and convenience pull in opposite directions. Passkeys break the trade-off because they are built on a fundamentally different idea than passwords.
This page explains, plainly, what a passkey is, what makes it work, and how Dashify uses them.
The two-line definition
A passkey is a cryptographic key pair stored on your device. When you sign in, the platform sends a challenge; your device signs the challenge with the private key; the platform verifies the signature with the public key it has on file.
You never type anything. The device authorises you (with a fingerprint, a face scan, or a PIN), the device signs, the platform verifies. No password ever exists in the system.
Why this is better than passwords
A few comparisons:
| Passwords | Passkeys |
|---|---|
| Stored on a server, can be leaked | Stored on your device, server only has the public key |
| Phishable — a fake login page can capture them | Bound to the website's domain, fake sites cannot use them |
| Reused across sites | Unique per site by design |
| Often weak | Always strong (256 bits of entropy) |
| User has to remember | User does not even know the key |
| Vulnerable to brute force | Cannot be brute-forced |
The core insight is that passwords are shared secrets — both sides know the same value, so either side can leak it. Passkeys are asymmetric — only the device knows the private key. Even if Dashify's database is fully exfiltrated, the attacker gets a list of public keys, which are useless for impersonation.
How the device protects the key
When you create a passkey, the actual private key is generated and stored inside a secure enclave on your device — special hardware designed to keep keys safe even from malware running on the same machine.
- On a Mac with Touch ID, the key lives in the Secure Enclave coprocessor. Even macOS itself cannot read the key directly.
- On an iPhone, the key syncs through iCloud Keychain end-to-end encrypted, so it is available across your Apple devices.
- On Android, the key lives in the Trusted Execution Environment.
- On Windows, Windows Hello uses the TPM (Trusted Platform Module).
- A YubiKey or other hardware security key holds the key in dedicated tamper-resistant hardware.
To use the key, the device requires a user-presence check — usually your fingerprint or face. The hardware refuses to sign anything without that biometric confirmation.
How the login dance works
A few things worth noticing:
The challenge is single-use. The API generates a fresh random challenge for every login attempt and stores it temporarily. The signature is only valid for that exact challenge. Replaying an old signature is impossible.
The credential id tells the browser which passkey to use. When a user has multiple passkeys (work laptop, personal phone, hardware key), the API includes the list of acceptable credential ids in the response and the browser/OS picks the right one — usually with the user choosing from a system-level prompt.
The verification is pure cryptography. No database lookup beyond the public key and the issued-challenge record. No password to crack, no shared secret, nothing to steal off the wire.
How registration works
Registering a passkey is similar in shape to logging in, but in the other direction.
The user can repeat this on every device they want to use to sign in. Most users register two — primary device (laptop) and a backup (phone or hardware key).
Phishing resistance
This is the single biggest property passkeys add. A passkey is bound to the domain it was registered on.
If an attacker creates a fake login page at dashify-secure.example.com and tricks the user into trying to sign in there, the user's device refuses. The passkey was registered for dashify-docs.nauman.live — the device's navigator.credentials.get rejects the request because the domain does not match. The attack fails before the user can even make a mistake.
This is why phishing — the most common attack on user accounts — does not work against passkeys. The technology refuses to be phished.
Where Dashify uses passkeys
Two places.
Initial sign-in. A user with a registered passkey can choose "Sign in with passkey" instead of typing a password. The device prompts for biometric authentication, signs the challenge, the API verifies, the session begins. No password ever touches the network.
Inactivity unlock. After a configurable period of inactivity, the platform locks itself in the browser, requiring re-authentication. The unlock prompt is a passkey check. Faster than typing the password, more secure, and friction-free.
A logged-in user without a passkey is gently prompted to register one after a successful login. The user can dismiss; the prompt re-appears later. The platform does not force passkeys on anyone, but it makes them the easy choice.
What about losing the device?
Two cases:
You have synced passkeys (iCloud Keychain, Google Password Manager). Your passkeys sync across devices. A new device picks them up automatically. Lost device → sign in on the new one.
Your passkey was bound to a single device (a hardware key, a non-syncing setup). Use a recovery method — a recovery code, a 2FA fallback, or contact your org admin. Dashify always supports a non-passkey path so a single lost device does not lock the user out forever.
What if my fingerprint changes?
You unlock the device with the fingerprint. The device unlocks the passkey. As long as the device still trusts your biometric (or you can fall back to your device PIN), the passkey works. Replacing a phone or laptop = registering the passkey on the new device.
Key takeaways
- A passkey is a cryptographic key pair stored on your device — the platform only sees the public key.
- Logging in is "sign a challenge with my private key, verify with the public key." No password is ever transmitted.
- Passkeys are phishing-resistant because they are bound to the website's domain.
- The private key is protected by your device's secure enclave and unlocked by your fingerprint or face.
- Dashify uses passkeys for sign-in and for inactivity unlock; recovery paths exist for lost devices.