Chapter 20: Passwordless Authentication — Passkeys, WebAuthn, and the End of the Password

This is Part 20 of a chapter-by-chapter walkthrough of my book OpenID: Modern Identity for Developers and Architects. In the previous chapter we closed Part VI with operations. Chapter 20 opens Part VII — The Future of Identity — with the pattern that's already killing the password.

20.1 — Passkeys: Public-Key Crypto, Friendly Packaging

A passkey is a public-key credential stored on a user's device. The private key never leaves the device; the public key is registered with the service. When the user authenticates, the device signs a challenge from the service, proves possession of the key, and that's it — no password, no OTP, no shared secret anywhere.

The magic of passkeys isn't the crypto (we've had public-key auth for decades). It's the UX. Modern operating systems (iOS/macOS Keychain, Windows Hello, Google Password Manager, Android) sync passkeys across a user's trusted devices, back them up to encrypted cloud storage, and surface them through the same biometric or PIN prompt users already use. Login becomes "hold your finger on the sensor."

20.2 — WebAuthn: The API Underneath

WebAuthn (FIDO Alliance + W3C) is the browser API that makes passkeys possible. Two ceremonies: registration creates a new key pair on the authenticator and registers the public key with the relying party; authentication has the authenticator sign a fresh challenge with the private key. Origin binding, user verification (biometric or PIN), and optional attestation statements about the authenticator itself round out the model.

From an OIDC standpoint, WebAuthn doesn't replace the protocol — it replaces the credential the IdP accepts. Your IdP can run WebAuthn under the hood and return an ID token with a strong acr claim, letting downstream applications reason about the authentication strength without knowing or caring that a passkey was involved.

20.3 — FIDO2: Hardware Keys and the Wider Ecosystem

FIDO2 is the whole stack: WebAuthn in the browser plus CTAP (Client-to-Authenticator Protocol) between the browser and external authenticators. Hardware keys — YubiKey, SoloKey, Titan — speak CTAP. They sit in your pocket, survive your laptop being compromised, and are the gold standard for high-assurance accounts (admin, financial, executive).

The broader FIDO Alliance ecosystem includes certification programs, shared threat models, and interop testing. Platform authenticators (passkeys) cover the mainstream; hardware keys cover the high-stakes. Both work through the same spec. That's a win.

What Chapter 20 Sets Up

After Chapter 20 you should understand why passkeys are the endpoint of the MFA journey (not an alternative to MFA, but its replacement), how WebAuthn slots cleanly into OIDC's existing authentication context plumbing, and where hardware FIDO2 keys belong in your threat model. If your identity roadmap for the next 24 months doesn't include a passkey story, you have a gap.

Next up — Chapter 21: Decentralized Identity. We go even further from centralized IdPs: DIDs (Decentralized Identifiers), Verifiable Credentials, and how the emerging OpenID for Verifiable Credentials (OID4VC) spec bridges the centralized and decentralized worlds.