A quiet but essential shift has just made passkeys — the future of secure passwordless authentication — ready for the quantum era.
On April 24, 2025, IANA updated the CBOR Object Signing and Encryption (COSE) codelist, officially adding support for post-quantum cryptographic (PQC) algorithms. This subtle standards update means that passkeys, built on the FIDO2 framework and digital signatures, are now prepared to resist the threats posed to authentication systems by quantum computers. For organizations building long-term digital identity strategies, this update signals a clear shift — the time to plan for quantum-safe authentication is no longer in the distant future, but here today.
The First Attempts at Quantum Resistance
The push toward quantum-safe authentication isn't new. Back in August 2023, Google announced the world’s first quantum-resilient FIDO2 security key, integrated into its open-source OpenSK firmware. Co-developed with ETH Zürich, this project combined the established Elliptic Curve Digital Signature Algorithm (ECDSA) with the post-quantum Dilithium algorithm. This created a hybrid signature scheme designed to survive both classical and quantum attacks.
However, without standardization, Google’s solution remained proprietary and could not be widely adopted by browsers or web applications at the time. The initiative demonstrated that achieving true quantum resistance in authentication systems requires coordinated industry adoption through multiple open standards.
Why The Standard Update Matters
At the heart of passkeys is a simple idea: users authenticate themselves by proving possession of a private key, while web apps verify that proof using a public key. The WebAuthn standard, a JavaScript API that defines how authenticators and web applications communicate, uses cryptographic algorithms to generate and verify signatures that prove a user’s identity. These algorithms are referenced by specific identifiers, represented as integer values, keeping communications between authenticators and servers efficient and standardized, avoiding the need to spell out long algorithm names every time.
For instance, WebAuthn uses standardized identifiers like -7 for ES256 (ECDSA with SHA-256) and -257 for RS256 (RSASSA-PKCS1-v1_5 using SHA-256) algorithms. These identifiers are part of the COSE specification, ensuring compact, efficient transmission and interoperability across various devices and browsers.
When a web application creates a credential, it specifies a list of acceptable cryptographic algorithms using these numeric COSE identifiers. The authenticator picks one, generates a key pair, and creates the credential. During authentication (assertion), the authenticator uses the corresponding private key to sign a challenge, and the web application verifies the response using the public key and the specified algorithm. This mechanism allows WebAuthn to support a wide variety of cryptographic methods.
Until recently, post-quantum cryptography algorithms weren’t available among the COSE identifiers. That meant passkey implementations (or FIDO2 security keys) were still vulnerable to a future where quantum computers could break today’s cryptography. But that just changed.
What’s New?
As of April 24, 2025, IANA introduced three new quantum-resistant algorithms to the COSE specification:
- ML-DSA-87 (-50)
- ML-DSA-65 (-49)
- ML-DSA-44 (-48)
These algorithms temporarily refer to the draft IETF standard for ML-DSA for JOSE and COSE, and IANA officially recommends them for implementations.
The inclusion of quantum-resistant algorithms in the standard paves the way for a new generation of passkey-based authentication systems and security platforms, built around post-quantum Dilithium signatures.
Ready for Post-Quantum Passkeys?
If you’re planning your authentication strategy for the next five years, post-quantum security isn’t optional anymore — it’s a necessity. Thanks to this new standard support, passkeys can now evolve alongside the advancing threat landscape.
At Wultra, we’re already leading the way. Our upcoming authentication platform will include full support for these novel standards, and we're planning to roll out the update to our customers in June 2025. Authentication is evolving — and with post-quantum protection now standardized, the shift is accelerating faster than expected.
Quantum-ready authentication isn’t optional — it’s the next standard. Get in touch with our team to explore how your organization can lead the way.