The Technology Behind Passkeys: Public Key Infrastructure (PKI) Explained

Every time you log in with a passkey, a sophisticated cryptographic system operates invisibly in the background. That system is Public Key Infrastructure (PKI). It's the reason passkeys are phishing-resistant, the reason your private key never needs to leave your device, and the reason a server breach can't expose your credentials.

PKI isn't new — it's the same technology that secures HTTPS connections and online banking. What passkeys do is bring that same architecture to everyday authentication, replacing the shared-secret model of passwords with something cryptographically stronger. This post explains how it works, in plain terms. If you're coming from What are passkeys and how do they work?, this is the deeper technical layer underneath that post.

What is Public Key Infrastructure (PKI)?

Public Key Infrastructure (PKI) is a framework for managing cryptographic keys and digital certificates. It consists of a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates, and manage public-key encryption. PKI is the foundation that enables secure electronic transfer of information for various network activities, including e-commerce, internet banking, and confidential email.

The core concept is asymmetric cryptography: instead of a single shared secret (like a password), you have two mathematically linked keys that work together.

• The public key can be shared freely. It's used to verify signatures and encrypt data intended for the key owner.
• The private key is kept secret by the owner. It's used to create signatures and decrypt data.

The mathematics of asymmetric cryptography ensures a one-way relationship: you can verify a signature made with a private key using only the public key, but you cannot derive the private key from the public key. This is what makes the system secure — the private key never needs to be shared, transmitted, or stored anywhere except on your own device.

The Key Components of PKI

1. Public and Private Key Pairs: The foundation. Every entity has a public key (shareable) and a private key (secret). Everything else in PKI is built around managing and trusting these pairs.
2. Digital Certificates: A digital certificate binds a public key to an identity. It contains the public key, information about the key owner, and a digital signature from a Certificate Authority confirming the binding is legitimate. When your browser visits a website over HTTPS, it checks the site's certificate to confirm it's genuine.
3. Certificate Authority (CA): Trusted organisations that issue and sign digital certificates. When a CA signs a certificate, it's vouching that the public key in that certificate genuinely belongs to the entity named. Your browser and operating system ship with a list of trusted CAs whose signatures they'll accept.
4. Registration Authority (RA): Verifies the identity of entities requesting their digital certificates to be stored at the CA.
5. Certificate Repository: A database of active digital certificates.
6. Certificate Revocation List (CRL): A list of certificates that have been revoked before their scheduled expiration date.

How PKI Powers Passkey Authentication

Passkeys leverage PKI to create a secure, phishing-resistant authentication method. Here's how it works:

1. Key Generation: When you register a passkey with a website, your device generates a unique public-private key pair specifically for that site. This happens on-device, in a secure enclave — a hardened area of your device's processor designed to protect cryptographic operations. The private key is generated and stored there, and in most implementations, it cannot be exported.
2. Registration: Your device sends the public key to the website's server, where it's stored against your account. The private key stays on your device. The server has everything it needs to verify your identity later — and nothing that could be used to impersonate you.
3. Authentication: When you return to log in, the server generates a random cryptographic challenge — a unique string of data that has never been used before and will never be used again. This prevents replay attacks, where an intercepted authentication attempt is reused.
4. Signing: Your device prompts you to verify your identity locally — via biometrics or PIN. Once verified, the secure enclave uses the private key to cryptographically sign the challenge. This signature is mathematically unique: it was produced by your specific private key, for this specific challenge, at this specific moment.
5. Verification: The signed challenge is returned to the server. The server uses the stored public key to verify the signature. If the signature is valid — meaning it was produced by the private key that corresponds to the registered public key — authentication succeeds. If anything has been tampered with, verification fails.

The entire exchange proves your identity without transmitting your private key, without transmitting a password, and without the server ever holding a secret that could be stolen.

The Role of the Secure Enclave

One aspect of passkey security that's easy to overlook is where the private key actually lives. Modern smartphones, laptops, and security keys include dedicated hardware — Apple calls it the Secure Enclave, Android uses the StrongBox Keymaster, Windows uses the TPM (Trusted Platform Module) — designed specifically to store and use cryptographic keys in isolation from the rest of the operating system.

The private key is generated inside this hardware boundary and, in most implementations, cannot be extracted from it. Even if malware compromised the main operating system, it could not directly access the private key. The secure enclave only performs signing operations when explicitly authorised — which is why biometric or PIN verification is required before a passkey can be used.

This hardware-backed security model is what makes the "private key never leaves your device" guarantee meaningful in practice, not just in principle. We explore this further in [The role of hardware security in passkey protection].

PKI in Passkeys vs. PKI in HTTPS

It's worth clarifying how passkey PKI differs from the certificate-based PKI you're already using every day via HTTPS:

• In HTTPS, the server presents a certificate to prove its identity to you. A Certificate Authority vouches for the server's public key.
• In passkey authentication, you present a signed challenge to prove your identity to the server. There's no CA involved — the website directly stores your public key at registration and trusts it thereafter.

This is sometimes called a "self-sovereign" model: you generate your own key pair, register the public key directly with the service, and authentication is a direct bilateral exchange. It's simpler than the full CA model, and for user authentication purposes, it's more appropriate — you don't need a third party to vouch for your identity to every website you use.

Advantages of PKI in Passkeys

1. Phishing Resistance: Since the private key never leaves the user's device and is bound to specific websites, phishing attempts become ineffective.
2. No Shared Secrets: Unlike passwords, there's no shared secret that could be intercepted or stolen from a server database.
3. Strong Security: The cryptographic strength of PKI makes it extremely difficult for attackers to break the system.
4. Non-reusability: Each passkey is unique to a specific website, limiting the impact of potential breaches.
5. Scalability: PKI can handle large numbers of users and services efficiently.

PKI is not a new technology — it has secured internet communications for decades. What passkeys do is apply that proven cryptographic model to user authentication, replacing the fragile shared-secret architecture of passwords with something that is secure by mathematical construction rather than by policy or user behaviour. The private key never leaves your device. The server stores nothing that can be used against you. Authentication is a cryptographic proof, not a secret you can accidentally reveal.