Every passkey is built on asymmetric cryptography — a public/private key pair generated uniquely for each service you register with. When you register with a FIDO2-enabled service, your authenticator generates a unique cryptographic key pair specific to that relying party. The private key is stored securely on your device, while the public key is sent to the service.
Think of the public key as a padlock you hand to the website. They can lock things with it, but only your device — holding the private key — can open them. Your private key never moves. Amazon, Google, your bank: none of them ever receive it, store it, or even see it.
During login, the service sends a challenge, which is signed by the private key on your device. This makes the process cryptographically protected from phishing, because even if an attacker intercepts the exchange, they get a one-time signature tied to that specific session — not a reusable credential.
This is the part that surprises most people. When you press your thumb to the sensor to approve a passkey login, your fingerprint is being used to unlock the private key — not to prove anything to the remote server.
Biometric information and processing stays on the device and is never sent to any remote server — the server only sees an assurance that the biometric check was successful. That assurance is just a flag: "yes, the user authenticated locally." No image, no template, no hash of your fingerprint rides along with it.
FIDO protocols dictate that when biometric data is used, it never leaves the device. There is no change to the local biometric processing of devices such as mobile phones. The secure enclave (Apple's Secure Element, Android's Trusted Execution Environment) handles the biometric match in hardware-isolated memory. The rest of the OS — and every app on it — is locked out of that process.
The practical consequence: a breach at Amazon exposes no biometric data, because Amazon never had any.
Passkeys are four times faster than OTP-based logins according to the FIDO Alliance. There is no need to remember a password or wait for a code — users simply approve the sign-in on their device.
A common concern: if your passkey lives on your phone and your phone dies, are you locked out forever? Not quite. Passkeys can sync across your devices through platform credential stores — synced passkeys are stored in the cloud and accessible across multiple devices. When you create a passkey on one device, it's securely synced via iCloud Keychain (Apple), Google Password Manager, or third-party managers like 1Password and Bitwarden.
Passkey syncing is end-to-end encrypted. The private key is encrypted before it leaves your device and can only be decrypted by another device you own and have authenticated. The sync provider — Apple, Google — cannot read the private key in transit or at rest.
For higher-security environments, device-bound passkeys are an option: device-bound passkeys stay on the device where they were created and cannot be exported. This trades cross-device convenience for a hardware-rooted guarantee, and is common in enterprise deployments using FIDO2 security keys like YubiKeys.
Traditional password breaches are a numbers game — attackers dump a leaked database and try those credentials on every other site. Passkeys break this model in two ways:
amaz0n.com will never receive a valid signature from your legitimate Amazon passkey — the browser and OS simply won't match the origin.The shift to passkeys has accelerated sharply. Google reports 800 million accounts using passkeys with over 2.5 billion passkey sign-ins. They've measured a 30% higher sign-in success rate and approximately 20% faster sign-ins compared to passwords.
Consumer awareness has risen from 39% in 2022 to 57% in 2024 according to FIDO Alliance research. When consumers adopt at least one passkey, reported satisfaction with the login experience climbs significantly. On the enterprise side, 87% of businesses surveyed have either successfully deployed or are currently deploying passkeys, up 14 percentage points from the previous survey.
48% of the top 100 websites now support passkeys, more than double the number from 2022. Passkeys achieve a 93% login success rate compared to 63% for passwords.
Passkeys are not without friction. Account recovery when you lose all enrolled devices remains inconsistent across services — some fall back to email links (weak), others to recovery codes (strong but often ignored). Cross-ecosystem portability is improving; the FIDO Alliance Cross-Platform Credential Exchange working draft defines a standard format and protocol for moving passkeys between sync fabrics, so a user could export a passkey from iCloud Keychain into 1Password or from Google Password Manager into Bitwarden.
Legacy systems remain an obstacle. Many enterprise applications still rely on password-based auth at the back end even where passkeys are offered at the front door, meaning the underlying risk isn't fully eliminated until the whole stack migrates. And PIN-based fallback — allowed when biometrics aren't available — is less phishing-resistant than biometric unlock, though still far stronger than reused passwords.
None of that changes the core point: the architecture is sound. Your fingerprint authenticates you to your device. Your device authenticates itself to the service. Amazon doesn't need your fingerprint. It never did.