🔑

How Passkeys Work

What is a passkey?

A passkey is a cryptographic key pair stored on your device. When you sign in, your device proves it holds the private key without ever sending it over the network. No password. No shared secret. Nothing to phish.

The sign-up flow

User clicks "Create account"

Server generates a random challenge

Device creates a key pair

Private key stays on device. Public key sent to server.

Server stores public key

Account created. User is signed in. Done.

The sign-in flow

User clicks "Sign in"

Server sends a random challenge

Device signs the challenge

User confirms with Face ID, fingerprint, or PIN

Server verifies signature

Matches the stored public key. User is in.

Passwords vs Passkeys

Passwords

Can be phished
Can be reused across sites
Require password reset flows
Need secure storage (hashing)
Users forget them

Passkeys

Phishing-resistant by design
Unique per site automatically
No reset flow needed
Only public keys stored
Nothing to remember

Why this matters for VPS providers

Fewer support tickets — no more "I forgot my password"
Better security posture — account takeovers become much harder
Reduced liability — no password database to breach
Competitive edge — "Australia's first passkey-native VPS"
Future-proof — NIST and industry moving this direction

The bottom line: Passkeys eliminate the entire class of credential-based attacks while making login faster and easier for users. It's better security with less friction.

Implementation

This demo is built with:

Node.js + Express backend
SimpleWebAuthn — the most popular WebAuthn library
~200 lines of server code for complete auth
No passwords stored — only public keys
Standards-based — WebAuthn/FIDO2, supported by all major browsers

See the full technical breakdown →

← Back to demo