What are passkeys? Should you use them?
8 min read
Passwords have been the standard for account security ever since the early days of the Internet. But despite how straightforward it is to use passwords, it’s far from the most secure way to log in to your accounts — which is where passkey login can help. While relatively new as a security feature, passkeys have already shown promising results in their ability to grant and secure access to any confidential data or safeguard user information across devices. A large part of this is how simple they are to use, while still being secure enough that attackers will have a hard time compromising them.
Contents
What is a passkey?
A passkey is a method of authenticating access to any account or information online. It uses a new type of technology called WebAuthn, which uses public-key cryptography to verify a user’s identity every time they log in.
When you use a passkey login, you simply need to approve your new access from another device without having to enter your username or create strong passwords. With passkey-supported apps and websites, all you need to do to log in is tap to continue.
This system allows you to save a passkey on your phone or create a new passkey every time you link a new account from a single device. It’s highly convenient, integrates with plenty of websites and apps, and works regardless of how many accounts you may have.
Passkey vs. password
Passkeys differ from passwords in several ways, such as how they are created, how they are used on websites, and how they are secured. Passwords are user-generated, whereas passkeys are automatically generated using public-key cryptography.
One misconception is that passwords are still required to use passkeys, which is not true. When people hear “password-protected passkeys,” they’re usually thinking of a password manager. Password managers, such as NordPass, allow users to store and retrieve credentials. Meanwhile, passkeys are always uniquely generated each time they’re used and are automatically changed with each creation.
| Passkeys | Passwords | |
|---|---|---|
| How authentication details are generated | Automatically generated via public-key cryptography, near-impossible to crack. | User-generated, so vulnerable to social engineering and other user-centric attacks and errors. |
| How access is controlled with each new login | A cryptographic key is uniquely generated for each access. | Must enter the same credentials/codes every time. |
| Likely security risks | Resistant to most common attacks like phishing and keylogging. | Can be compromised from multiple vectors, even with basic attacks. |
| Steps involved in authenticating user identity | Two-step (verify identity and private key). | Multiple steps (considering multi-factor authentication). |
| Efficiency of the process | Simple workflow once accounts have been synced to an authenticating device. | May require multiple steps to set up each time a new device or access point is added. |
| Convenience for the user | Highly convenient – no need to remember passwords. | Cumbersome – passwords and other security verifiers must be remembered. |
Automatically generated passkeys are more secure since they’re not prone to user error. People mistype, misremember, or misplace usernames and passwords all the time. Passkeys are uniquely generated and shared between devices, which makes them highly resistant to being cracked by attackers.
Who supports passkeys?
So, who accepts passkeys? Major companies like Google, Microsoft, and Apple have already started expanding their passkey support in their websites, apps, and devices. Plenty of other companies and organizations are following suit.
Other examples include:
- PayPal (apps only).
- Shop by Shopify.
- Instacart.
- KAYAK.
- Robinhood.
- Adobe.
- Tailscale.
If a company is part of the FIDO (Fast IDentity Online) Alliance, they’ll most likely support passkeys in some way. The FIDO Alliance includes some of the biggest names in tech — which means it’s highly likely you’ll be seeing passkey support in your browser or website in the future.
How can you use passkeys?
There are two essential components to using a passkey:
- The device where the passkey is created, encrypted, and stored; usually a smartphone.
- The login credential used to approve the passkey, like Face ID or a local device passcode.
Instead of having to enter a user name/password on a sign-in screen or using other security features like multi-factor authentication, all a user needs to do is enter their PIN, fingerprint, or facial recognition from their device. The passkey stored on your device is synced to your account name and details and will always change each time you log on and approve access.
Another way this can work is via QR codes, which are used by messaging apps like Viber. When you sign in on a computer with a passkey for the first time, a QR code appears on the computer. To sign in, scan the QR code with your phone’s camera. The next time you sign in with this computer and phone combination, you won’t need to scan a QR code.
Setting up passkeys for your devices
Smartphones are the most common devices used to enable passkey systems. If you sync your account or create new accounts on your iPhone or Android phone, you’ll most likely be given the option to sign in with a passkey.
You can choose to enable passkeys from your authentication devices or the system settings in your user account center. See below how that would look across different operating systems.
What is a passkey for Apple devices?
Apple uses the Apple iCloud Keychain to sync passkeys across different devices via the Cloud. To enable this feature, you need to do the following:
For an iPhone or iPad:
- Navigate to “Settings,” tap your name or Apple ID, and then tap “iCloud.”
- Tap “Passwords and keychain.”
- Enable the iCloud Keychain feature. You might be asked for your Touch ID to verify this process.
For MAC devices:
- Navigate to “System settings” or “System preferences” from the Apple Menu.
- Click your name or Apple ID. Then click “iCloud.”
- Turn on “Passwords and keychain.” This should enable the iCloud Keychain feature.
Enabling passkeys on your iPhone or iPad does not mean that you’ll be letting go of the Touch ID feature.
What is a passkey for Windows devices?
Windows has increased support for passkeys in the later versions of its operating system. To enable and change your settings, you need to do the following:
- Access a website or app with passkey support.
- Create a passkey using your account settings.
- Save the passkey. Windows allows you to save it on iOS, Android, and local devices like a security key.
- Complete the process depending on the device chosen.
Once you try logging in with that account again on a new device, it will prompt the device you used to save a passkey via push notification.
What is a passkey for Google devices?
Google has specifically implemented passkey login as a way to access Google accounts. To enable this feature, you need to do the following:
- Go to your Google Account.
- Check if passkeys are enabled. If you have previous passkeys from Android devices, they will be listed there.
- If passkeys are enabled, tap “Use passkeys.”
- If they are not enabled, tap “Create a passkey.”
- Tap “Continue” and follow the instructions.
Once you manage to link a passkey with your Google Account, you’ll have to repeat this process with any supported device that you’ll use to log in to your account in the future.
The benefits of passkey security
Using passkeys can be extremely effective against certain types of fraud like phishing attacks. Since your device understands which browser or website is connected to a specific passkey, it’s not likely that it’ll be fooled by a fake website or false domains.
The systems that passkeys use are also resilient against cyberattacks. Each passkey is uniquely created and linked to each account that you have. The keys are randomly and securely generated by the encryption between your devices, so they’re always unique each time.
Passkeys offer three specific solutions that passwords normally struggle with:
- Convenience: You don’t need to remember your login credentials or details once you’ve synced your devices.
- Account control: You have a secure central device you can use for user authentication.
- Advanced encryption: Passkeys themselves cannot be cracked by ordinary attackers.
But most of all, passkeys are secure because they reduce the risks associated with human error. You don’t need to remember a password to access or control your accounts.
While using passkeys offers handy benefits, it’s not without challenges. A potential challenge is losing access to a device. However, even if your authenticator device is taken from you, an attacker will still need to unlock the device itself to gain access. The chance of an attacker doing both is highly unlikely.
The future of passkeys
As advanced as passkeys are, they’re still very new technology and haven’t seen much use. However, many companies are now starting to see the benefits of passkeys and have begun to implement them into their operations.
Amazon
As one of the largest eCommerce entities, Amazon understands the importance of keeping customer data safe from attackers. To further beef up security, it has started offering passkey sign-ins to all its customers, rolling out support on browsers and apps starting October 2023.
Amazon customers can go to their account settings to enable the feature — just like the other methods discussed earlier — using the system across different devices. Not only does this reduce the risk to customer data, but it also improves the overall browsing and shopping experience on the platform.
The Titan Security key has been a mainstay of Google’s efforts to keep its users safe from data breaches while also providing an easy way to authenticate their identity. While this physical key was previously limited to functioning as a secondary means of authentication, the newer Titan keys now include passkey capabilities.
These new FIDO2 models can store passkeys for hundreds of accounts and work with all FIDO services. What’s even more remarkable is that Google accomplished all this without compromising the ease of use that the Titan key line is known for: simply plug in the device, enter your credentials, and verify.
Android
Android’s popularity as an operating system means that it’s often the OS behind many passkeys, and Android 14 looks to beef up support for its passkey capabilities. The Android OS is launching Credential Manager in November 2023, which can store biometrics and traditional passwords in a single place on Android phones.
Like many companies making the push, Android looks to blend user convenience with data security by offering easier passkey support to any company looking to develop apps that work with the Android OS. This not only helps app developers keep their products secure but also gives their users the confidence to engage with them without worrying about threats to their security.
A better alternative to passwords
Passkeys may not be the immediate future of data security, but they’re a promising step toward protecting sensitive information. They are the perfect blend of strong security and consistent user convenience, two areas that passwords have normally struggled with.
By implementing passkey security on your accounts, you can better protect your personal information and browse online more securely. The process is easy to integrate with your usual security measures. Adopting the technology now will make it easier to use as more apps and websites eventually expand support for passkeys.
