CONCEPT Cited by 1 source

Passkey authentication¶

Definition¶

Passkey authentication is a passwordless authentication primitive built on the WebAuthn / FIDO2 standards. A passkey is a public-private keypair generated and stored on the user's device (or synchronised across devices via platform-provided keychains like iCloud Keychain, Google Password Manager, 1Password). The private key never leaves the authenticator; authentication challenges are signed locally and verified by the server's stored public key.

Two properties that distinguish passkeys from password-based auth:

No shared secret on the server side. The server stores a public key, not a password hash. A server breach cannot leak credentials usable on other sites.
Phishing-resistant. The passkey is bound to the domain (origin) it was registered against. A phishing site at a different origin simply cannot prompt the authenticator to sign a challenge for the real origin.

Why default passkey¶

Cloudflare's EmDash launch post frames this concisely:

"EmDash uses passkey-based authentication by default, meaning there are no passwords to leak and no brute-force vectors to defend against."

The two things that go away when you adopt passkey defaults:

Password leaks. No hash database to dump.
Credential-stuffing / brute-force attacks. No passwords to guess; even a public-key-signing oracle is rate-limited by the authenticator, and the signing challenge is server-issued and single-use.

For a CMS at WordPress scale (40%+ of the web), this structurally removes the dominant class of authentication attacks. WordPress plugin auth-weakness CVEs are the obvious foil.

Pluggability¶

EmDash makes passkey the default but not the only option:

"Authentication is pluggable, so you can set EmDash up to work with your SSO provider, and automatically provision access based on IdP metadata."

This combines two properties:

Passkey out of the box → works for small sites, solo publishers, individual users.
Pluggable SSO → enterprise deployments can wire SAML / OIDC / OAuth to an existing IdP.

Plus EmDash's built-in RBAC: administrator / editor / author / contributor, scoped strictly to the actions each role needs.

Relationship to OIDC / SSO flows¶

Passkeys authenticate a user-to-site interaction directly; they're the credential primitive at the endpoint. OIDC / SSO shifts the authentication point to an IdP, which itself may use passkeys (the IdP prompts the user's passkey, then issues a token to the relying party). Both can coexist: passkey is the atomic primitive; SSO is the federation topology.

Seen in¶

sources/2026-04-01-cloudflare-emdash-wordpress-spiritual-successor — canonical wiki instance. Passkey named as EmDash's default authentication; pluggable SSO as the alternative; WordPress's password-based default implicitly framed as the structural anti-example.

systems/emdash — CMS shipping passkey-by-default.
concepts/identity-to-key-binding — general binding primitive; passkeys are the in-browser realisation.
companies/cloudflare — operator.