Skip to main content

What are passkeys?

Passkeys are a passwordless authentication standard based on WebAuthn/FIDO2. Instead of typing a password, you authenticate with a hardware security key, fingerprint, face scan, or device PIN. Passkeys are phishing-resistant and eliminate credential stuffing attacks.

PassAgent as a passkey provider

PassAgent acts as a passkey credential provider on both web and iOS. When a website supports passkeys, PassAgent can:
  1. Store passkey metadata alongside your password entries
  2. Provide passkeys through the Chrome extension’s credential provider
  3. AutoFill passkeys on iOS through the AutoFill extension

Storing passkeys

1

Register a passkey

When you create a passkey on a website, PassAgent captures the credential metadata (credential ID, relying party, public key) and stores it alongside your vault entry.
2

Link to a vault entry

Each passkey is associated with a password entry. Navigate to a vault entry and click Add passkey to register one.
3

Use during login

When a website requests passkey authentication, the PassAgent extension or iOS AutoFill provides the stored credential.

Browser extension support

The Chrome extension registers as a WebAuthn credential provider. When a website initiates a passkey authentication flow, PassAgent can supply the stored credential.The extension supports the PRF extension for deriving encryption keys from passkey authentication, enabling passkey-based vault unlock.

iOS AutoFill

The iOS app includes an AutoFill Credential Provider Extension that provides passkeys system-wide:
  • Works in Safari and all apps that support passkey authentication
  • Uses iOS biometrics (Face ID / Touch ID) for authorization
  • Syncs passkey metadata from your PassAgent vault
  • Supports the ASCredentialProviderViewController API

Travel-safe mode

Passkey entries can be marked as travel-safe. When enabled, these credentials are accessible even in restricted environments where you might need to authenticate without full vault access.

AAGUID registration

PassAgent’s authenticator is registered with the FIDO Alliance metadata service. Relying parties that check metadata will display “PassAgent” instead of “Unknown authenticator” when reviewing your passkeys.
AAGUID registration is cosmetic and does not affect passkey functionality. It helps relying parties identify which authenticator created a credential.