**Summary: The Rise of Platform Authenticators in the Move to Passwordless Passkeys**
The way we log in to websites and applications is undergoing a major transformation, with passkeys promising to replace traditional user IDs and passwords. This shift is driven by three key ideas: making logins more secure, more convenient, and less reliant on human memory or behavior. Despite years of cybersecurity training, humans remain the weakest link in account security—as research shows, a staggering 98% of users still fall for phishing emails. Passkeys, leveraging the power of public key cryptography, aim to address these security gaps by eliminating passwords altogether.
**What Are Passkeys and How Do They Work?**
A passkey is a FIDO2-compliant credential—a secure, cryptographically generated key pair that allows users to authenticate themselves on websites and apps (often called "relying parties"), without ever entering a password. Instead, authentication happens securely in the background, with the user typically confirming their identity using biometrics (like Touch ID or Windows Hello) or a device PIN. This method protects against phishing, credential stuffing, and other attacks that exploit weak or reused passwords.
**Understanding Platform Authenticators**
To use passkeys, users rely on something called an "authenticator." There are several types, but this article focuses on platform authenticators. These are authenticators built right into your device—integrated within the operating system and tied to the device’s hardware security features (such as Apple's Secure Enclave or the Trusted Platform Module, TPM, on Windows PCs).
The World Wide Web Consortium’s (W3C) WebAuthn standard defines platform authenticators as those that are part of the client device itself. Essentially, if your phone or computer has built-in hardware and software that can securely generate, store, and manage passkeys—such as through Apple’s iCloud Keychain or Windows Hello—that’s a platform authenticator.
**Advantages and Operation of Platform Authenticators**
One of the biggest advantages of platform authenticators is cost—they’re free, because the functionality is built into the device’s operating system. For example, Apple’s iCloud Keychain, available on Macs and iPhones, stores confidential items like passwords, credit cards, and now passkeys. It interacts with the device’s Secure Enclave to help create and manage passkeys, then syncs them securely across all your Apple devices via iCloud.
When a user registers a new passkey on an Apple device, the system may prompt them to enable iCloud Keychain. Once enabled, the device can create a passkey and store it securely, asking for biometric confirmation like Touch ID or Face ID. Contrary to some misconceptions, the passkeys themselves aren’t stored in the Secure Enclave, but in the encrypted iCloud Keychain, which is then available across all a user’s Apple devices.
Syncing passkeys across devices is a key benefit. Unlike passwords, which are typically the same for a user regardless of which device they