CONCEPT Cited by 3 sources

Passkey authentication¶

Definition¶

Passkey authentication is a passwordless authentication primitive built on the WebAuthn / FIDO2 standards. A passkey is a public-private keypair generated and stored on the user's device (or synchronised across devices via platform-provided keychains like iCloud Keychain, Google Password Manager, 1Password). The private key never leaves the authenticator; authentication challenges are signed locally and verified by the server's stored public key.

Two properties that distinguish passkeys from password-based auth:

No shared secret on the server side. The server stores a public key, not a password hash. A server breach cannot leak credentials usable on other sites.
Phishing-resistant. The passkey is bound to the domain (origin) it was registered against. A phishing site at a different origin simply cannot prompt the authenticator to sign a challenge for the real origin.

Why default passkey¶

Cloudflare's EmDash launch post frames this concisely:

"EmDash uses passkey-based authentication by default, meaning there are no passwords to leak and no brute-force vectors to defend against."

The two things that go away when you adopt passkey defaults:

Password leaks. No hash database to dump.
Credential-stuffing / brute-force attacks. No passwords to guess; even a public-key-signing oracle is rate-limited by the authenticator, and the signing challenge is server-issued and single-use.

For a CMS at WordPress scale (40%+ of the web), this structurally removes the dominant class of authentication attacks. WordPress plugin auth-weakness CVEs are the obvious foil.

Pluggability¶

EmDash makes passkey the default but not the only option:

"Authentication is pluggable, so you can set EmDash up to work with your SSO provider, and automatically provision access based on IdP metadata."

This combines two properties:

Passkey out of the box → works for small sites, solo publishers, individual users.
Pluggable SSO → enterprise deployments can wire SAML / OIDC / OAuth to an existing IdP.

Plus EmDash's built-in RBAC: administrator / editor / author / contributor, scoped strictly to the actions each role needs.

Relationship to OIDC / SSO flows¶

Passkeys authenticate a user-to-site interaction directly; they're the credential primitive at the endpoint. OIDC / SSO shifts the authentication point to an IdP, which itself may use passkeys (the IdP prompts the user's passkey, then issues a token to the relying party). Both can coexist: passkey is the atomic primitive; SSO is the federation topology.

Seen in¶

sources/2026-05-01-meta-strengthening-end-to-end-encrypted-backups — Passkeys as backup-vault authentication factor. Meta's 2026-05-01 post references the late-2025 shipment of passkey-based E2EE backups for WhatsApp as an alternative to the recovery-code path into the HSM-based Backup Key Vault. Canonical wiki instance of passkeys as the user-authentication factor into a server-side HSM-backed key vault — distinct from the website-login instance (EmDash) and the legacy-account retrofit instance (Fly.io Twitter). The passkey changes how the user authenticates themselves; the HSM vault (and the Cloudflare-cosigned fleet-key distribution) remains the substrate. Announced via the WhatsApp passkey-backup launch blog (not ingested on this wiki).
sources/2026-04-01-cloudflare-emdash-wordpress-spiritual-successor — canonical wiki instance. Passkey named as EmDash's default authentication; pluggable SSO as the alternative; WordPress's password-based default implicitly framed as the structural anti-example.
sources/2025-10-08-flyio-kurt-got-got — Fly.io's post-incident retrofit: after the @flydotio Twitter account was taken over via phishing, Fly.io explicitly moves the account onto Passkeys. "Either way: our Twitter access is Passkeys now." Second canonical wiki instance; relocates protection from 1Password-browser-plugin-side domain-check (defeated by manual copy-paste) to authenticator-side cryptographic origin binding. The incident frames Passkeys as the ATO defence once the legacy shared account couldn't be federated through the org's primary IdP (patterns/phishing-resistant-mfa-behind-idp).

systems/emdash — CMS shipping passkey-by-default.
concepts/identity-to-key-binding — general binding primitive; passkeys are the in-browser realisation.
concepts/phishing-resistant-authentication — the property Passkeys provide.
concepts/origin-bound-credential — the cryptographic mechanism.
concepts/fido2-webauthn — the spec family Passkeys sit on.
concepts/account-takeover-ato — the incident class Passkeys defend against.
patterns/phishing-resistant-mfa-behind-idp — the operational pattern that amplifies Passkey deployment.
concepts/end-to-end-encryption — the backup-vault use case composes passkeys with E2EE.
concepts/hardware-security-module — the server-side key-storage substrate passkeys authenticate the user into in the WhatsApp-backup case.
systems/whatsapp-hsm-backup-key-vault · systems/whatsapp-e2ee-backups — canonical backup-vault deployment.
companies/cloudflare — EmDash operator.
companies/flyio — post-incident Passkey adopter for legacy Twitter account.