login.ad / How Passkeys Work: The Cryptography Behind Passwordless Login

How Passkeys Work: The Cryptography Behind Passwordless Login

login.ad is a rare, high-signal domain at the crossroads of identity and the passwordless revolution. Perfect for a passkey product, authentication SDK, SSO platform, or any company redefining how users sign in.

Buy for $9,999 →

Public Key Cryptography in Your Pocket

A passkey is a cryptographic key pair: a private key that lives in your device's secure enclave, and a public key that the website stores. During registration, your device generates the pair and sends only the public key to the server. During login, the server sends a random challenge, your device signs it with the private key (after you unlock it with biometrics or PIN), and the server verifies the signature with the stored public key.

The Core Property

The private key never leaves the device. The server never sees it. A breach of the server database reveals only public keys — which are, by definition, public. There is nothing for an attacker to exploit.

Registration Flow

1. User clicks "Create account with passkey"
2. Browser calls navigator.credentials.create() with the server's options
3. OS prompts for biometric or PIN
4. Device generates a key pair in the secure enclave; private key is stored, never exported
5. Device returns the public key + credential ID + attestation to the browser
6. Browser sends these to the server, which stores the public key associated with the user account

Authentication Flow

1. User clicks "Sign in with passkey"
2. Browser calls navigator.credentials.get() with the server's challenge
3. OS shows the passkey picker; user selects their credential and authenticates with biometrics
4. Device signs the challenge with the private key
5. Browser sends the signed assertion to the server
6. Server verifies the signature using the stored public key — if valid, authentication succeeds

The Secure Enclave

On Apple devices, private keys live in the Secure Enclave — a dedicated coprocessor isolated from the main CPU with its own encrypted memory. On Android devices, they're protected by StrongBox or the Trusted Execution Environment (TEE). On Windows, the Trusted Platform Module (TPM) provides equivalent protection. These hardware roots of trust mean that even a fully compromised operating system cannot extract the private key.

Sync vs. Device-Bound

Passkeys come in two flavors. Synced passkeys (used by Apple, Google, Microsoft) are encrypted and backed up to a cloud keychain — so you can sign in on a new phone even after a factory reset. Device-bound passkeys are hardware-tied and cannot be exported; used for high-security scenarios like security keys (YubiKey). For most consumer applications, synced passkeys offer the right balance of security and convenience.

Related

passkeybase.com pkroot.com

Acquire This Domain

Interested in login.ad? Whether you want to acquire it outright or discuss a partnership, reach out and we will get back to you promptly.