A passkey is a cryptographic credential generated and stored on the user’s device (or synced across devices via Apple Keychain, Google Password Manager, or Microsoft account). When the user authenticates, the device proves possession of the private key without ever revealing it — typically unlocked by biometric verification (Face ID, fingerprint, Windows Hello).
Passkeys are phishing-resistant by design because they’re bound to a specific origin (your portal domain). A phishing site can’t steal a passkey because the cryptographic exchange won’t validate against the wrong origin. They also eliminate password breaches at the server side — your portal stores a public key, not a hashable secret.
Passkeys are the 2026 best practice for customer portal authentication. See Authentication Portal.