Currently there are two primary ways passwordless authentication is done – PKI digital certificates and FIDO passkeys. This article takes a closer look at each and discusses how to choose between the two.
Passwordless authentication has emerged as a popular login method compared to passwords, which can be stolen, cracked, or subject to other security breaches. Currently there are two primary ways passwordless authentication is done – PKI digital certificates and FIDO passkeys. This article takes a closer look at each and discusses how to choose between the two.
PKI certificate
PKI digital certificates are a key element in PKI or public key infrastructure, which enables passwordless authentication by replacing traditional passwords with digital certificates and cryptographic key pairs. In PKI, a user's device generates a private key (kept securely on the device) and a public key, the latter of which is sent to a certificate authority (CA), which verifies the user's identity and issues a digital certificate binding the public key to the user's identity. When accessing a network or website, the user’s device uses the private key to sign an authentication challenge sent from the website, which verifies this signature using the public key from the digital certificate, confirming the user's identity without requiring a password. Connecting securely to a corporate network via VPN and using Common Access Cards for logging into government systems are all examples of PKI-based passwordless authentication.
“Your private key stays safely on your device, and the system checks your identity using the public key from a trusted source – no password needed,” said Edwardcher Monreal, Principal Solutions Architect for IAM Consumer Authentication Solutions at HID. “Unlike passwords, PKI authentication can’t be guessed, stolen, or phished. It uses a private key that stays locked in your device, making it much more secure and easier – no need to remember or type anything.”
FIDO passkey
Passkeys are another means for passwordless authentication leveraging the security features of the user’s smart device – face or fingerprint verification, for example. Passkeys are based on the FIDO (Fast Identity Online) standard developed by the FIDO Alliance. Similar to PKI, a passkey is made up of a public and a private key; the public key is shared with the website or app the user is logging into, and the private key stays on the user device. During authentication, the website or app sends a challenge to the device, which signs the challenge using the private key stored in the device (the private key is essentially “unlocked” with a face/fingerprint scan). The website then verifies the signature using the public key it already has on file. Use cases are plenty. Logging into Google – or a bank account – by way of having the user’s face scanned by his smart device instead of entering a password is a good example.
How to choose between the two
Both PKI certificates and FIDO passkeys are passwordless authentication methods and employ cryptographic keys to authenticate. The differences lie in key management and user experience.
“While PKI offers strong security, it can be complex to manage – requiring certificate issuance, renewal, and secure storage of private keys. As a simpler, modern alternative, FIDO provides strong, phishing-resistant authentication without the overhead of managing digital certificates,” Monreal said. “Passkeys today are convenient because it’s available in the mobile or laptop. Hardware-bound passkeys (like USB keys or smart cards) offer stronger security because they’re stored in tamper-resistant devices and can’t be copied or synced to the cloud.”
According to Monreal, the following are some of the factors to consider when choosing between PKI certificates or FIDO passkeys:
• Choose PKI if you're in a regulated or enterprise environment that relies on digital certificates, document signing, or existing infrastructure like smart cards and CAs;
• Choose FIDO if you want simple, modern, phishing-resistant logins with minimal management – ideal for everyday web and app access.
Monreal further states that in many cases, a hybrid approach may be most effective, especially during transitions or in environments with diverse authentication needs.
“FIDO offers a modern, user-friendly way to log in that’s highly secure and phishing-resistant – perfect for everyday access to apps and cloud services. PKI still plays a key role in specialized needs like digital signing and legacy systems. Using both allows you to benefit from FIDO’s simplicity and strong protection, while keeping PKI for use cases where certificates are still required,” Monreal said.
Product Adopted:Others