A passkey is a public key. That is not marketing copy — it is literally what it is.
When you create a passkey for a website, your device generates an ECDSA keypair. The public key goes to the website. The private key stays on your device, locked in the Secure Enclave or TPM. Login is a challenge-response: the site sends a random value, your device signs it, the site verifies with the public key it has on file. No password is transmitted. No password exists.
The biometric — Face ID, fingerprint — does not do the signing. It unlocks the Secure Enclave so the private key can be used. The biometric is a gate, not the key.
This is genuinely good. Phishing stops working. Credential databases become worthless to steal. The FIDO Alliance called it "passkeys" because "FIDO2/WebAuthn public key credential" tested badly with consumers. Same technology, better name.
The Critical Difference
Passkeys still depend on Apple or Google for recovery.
Lose your iPhone. Your passkeys live in iCloud Keychain. To restore them, you log into iCloud. Which means Apple holds the recovery path. Which means a court order to Apple recovers your identity. Which means your private key, despite living in a Secure Enclave on your phone, has a trust anchor in Cupertino.
This is not a theoretical concern. It is the designed behavior. Apple explicitly markets iCloud Keychain sync as a passkey feature. Google does the same with their Password Manager. The convenience is real. So is the dependency.
What Self-Sovereign Means
A self-sovereign key has no issuer and no recovery authority other than you.
Gong generates an ECDSA keypair and immediately splits the private key into three parts using a threshold scheme — any two parts reconstruct the key, one part alone is useless. Each part goes to a different physical device you hold. The server never sees any part. Apple never sees any part. There is no cloud backup of the root secret.
Recovery is a ceremony: bring any two of your three devices together, reconstruct the key, re-provision a replacement device. No account reset. No SMS code. No support ticket.
The comparison that matters:
- Passkey recovery root: Apple ID / Google Account — a corporation that can be subpoenaed, hacked, or compelled
- Gong recovery root: Two physical devices you hold — no third party in the chain
Passkeys Are the Right Direction
This is not an argument against passkeys. Replacing passwords with public key cryptography is unambiguously correct. For most people and most use cases, passkeys backed by iCloud are a dramatic security improvement over what came before.
The question is where the trust ends.
For individuals who need to know that no authority — legal, corporate, or criminal — can access their identity without physically taking their hardware, passkeys are not the final answer. They are the on-ramp.
Gong is what comes after you decide you want to own the key, not just use it.