7 common misunderstandings about passkeys | 1Password (2024)

Almost everyone understands what passwords are, and how they work. But passkeys? That’s a different story.

Here at 1Password, we’re excited about passkeys, which let you create online accounts and securely sign in to them without entering a password.

But we know it’s early days, and the technology hasn’t gone mainstream (yet!)

Many people don’t know what a passkey is, or have heard an explanation that isn’t quite right. Here, we’re going to address some of the most common misconceptions so you can better understand how passkeys work, and use them with total confidence.

Misunderstanding: Behind every passkey is a password

Many of us use biometric authentication to unlock our devices and access our favorite online accounts. But in these scenarios, your biometrics don’t eliminate your password.

Passkeys, meanwhile, act as a replacement for traditional passwords.

Here’s a quick summary of how passkeys work:

Passkeys leverage an API called WebAuthn. Instead of a traditional password, WebAuthn uses public and private keys – otherwise known as public-key cryptography – to check that you are who you say you are. The advantage of this approach is that you never have to share your private key (hence the name), and the public key is useless to an attacker on its own.

If there was a password behind every passkey, it would still be possible to “phish” the account owner. Passkeys are resistant to phishing because there’s no plaintext password or ‘secret’ that the user can be tricked into sharing, or that an attacker can try to intercept. This makes passkeys a more secure option than a traditional password.


At first, websites and apps will likely offer passkeys alongside traditional password authentication. That way you’ll have a choice, and can use both methods in tandem if you wish.

Misunderstanding: You need Bluetooth to log in to an account with a passkey

Some articles have implied that a Bluetooth connection is required to successfully authenticate and sign in to accounts using passkeys.

That’s simply not true.

When you create a passkey, the website will ask you to confirm your authenticator. This could be your phone, tablet, PC … or, in the not so distant future, 1Password. The next time you want to sign in, your device will ask you to authenticate using your face or fingerprint as a security measure, but that’s it.

Bluetooth only plays a role if you create a passkey using one of the solutions offered by Apple, Microsoft, or Google, and then need to access that same passkey from a device that sits in a different company’s ecosystem.

For example, let’s say you create an online account with a passkey using Google’s password manager on your Android phone. And then you want to access that same account on your Windows PC. In this scenario, you’ll normally be prompted to authenticate using your Android phone.

Bluetooth is required to check that your Windows PC and Android phone are physically close to each other. (This is to prevent phishing.) But passkeys don’t rely on Bluetooth’s security properties to secure the actual sign-in process.

That’s why if you’re using the same device, or a solution that syncs your passkeys between devices, you don’t need a bluetooth connection.

Misunderstanding: You only need a single passkey to access all your online accounts

A single passkey isn’t a master key that can unlock all of your online accounts. You’ll still need to create a passkey for each online account.

That might sound a little tedious, but in practice passkeys are incredibly convenient to create, store, and use. That’s because:

  • You don’t have to create anything manually. Your authenticator will generate a passkey – which contains a public and private key pair – on your behalf.

  • Every passkey is strong by default. So you don’t have to worry about whether your private key is long or random enough.

  • You don’t have to remember or type out your passkeys. Your private key is stored on your device, and retrieved automatically when you want to sign in to your account. A copy of your public key is stored with the account provider so you never have to type it out. Instead, your passkey is processed seamlessly in the background when you select ‘Sign in’.

Misunderstanding: If someone steals your phone, they can instantly access your passkeys

Your phone is a safe place to store your passkeys. For starters, most hackers won’t travel to wherever you are because pickpocketing is neither cheap nor time effective. Instead, attackers will likely try other tactics that don’t require them to leave their computer.

If someone did manage to steal your phone, it would still be difficult for them to find and exploit your passkeys. That’s because they would need to unlock your device first. If you’ve secured your phone with biometrics, or an alternative method that’s difficult to guess – like a strong and unique password – an attacker will have a hard time breaking in and accessing your passkeys.

Your passkeys are well protected, even if a hacker managed to steal your phone.

Your confidential passkey data (e.g. the private half of every key pair) is also stored in a Trusted Platform Module (TPM) that is virtually impenetrable.

The bottom line is that you can rest easy knowing that your passkeys are well protected, even if a hacker managed to steal your phone.

Misunderstanding: You can’t sign in to your accounts if you don’t have the device that contains your passkeys

What happens if you arrive at work and realize you’ve forgotten the phone that has all your passkeys? Will you be locked out of all your online accounts?Not necessarily.

Google, Apple, and Microsoft will sync your passkeys across devices using their respective cloud-based storage services. So if you create a passkey using an iPhone, you can access the same passkey on your other Apple devices via iCloud.

Okay, but what happens if you’ve forgotten your iPhone, but need to use a Windows PC in a public library? In this scenario, you should be given a second option to sign in. For example, a website might send you a “magic link” — a one-time link that lets you instantly sign in — to your chosen email address.

Passkey support is also coming to 1Password! (Sign up to our passwordless newsletter for updates!) This will let you access your passkeys on all your devices, regardless of which operating system they run, and any major web browser. That way, there’s no need to worry if you leave your phone at home one day.

Misunderstanding: You’ll lose access to your accounts if you lose the device that contains your passkeys

It’s natural to worry about what would happen if you broke your phone. Or what would happen if you left your laptop in a public place, like a cafe, and went back only to discover it had vanished.

As we’ve already covered, it’s possible to sync your passkeys between devices. Apple, Google, and Microsoft will offer to sync your passkeys within their respective ecosystems. And, later this year, you’ll be able to use 1Password to create, store, and seamlessly sync passkeys.

The simpler and less stressful option is to sync your passkeys between devices.

If you don’t opt in to syncing and lose the device that contains your passkeys … your passkeys will be lost. But don’t worry! You’ll still have other options to access your accounts, like magic links. Once you’ve successfully signed in, the site or app should then give you the option to create a new passkey.

The simpler and less stressful option is to sync your passkeys between devices. With 1Password, you’ll soon be able to create, save, and access passkeys on any piece of hardware, alongside your passwords, credit cards, and other digital secrets.

Misunderstanding: Your passkeys are vulnerable if your biometrics are compromised

Unlike a password, you can’t change your face or fingerprint. (Not easily, anyway!) With this in mind, you might be worried about the possibility of someone stealing your biometric data, and then using that to wreak havoc with your passkeys.

Researchers have proven that some Android phones can be fooled by a high-quality photo of the device’s owner. This has led to more Android devices with depth-sensing cameras and 3D mapping technology similar to the iPhone.

Depth mapping allows your device to turn a photo of your face into a mathematical representation that’s only ever stored locally, and never transmitted over the internet. For example, your Apple device stores biometric data encrypted with a key made available only to the Secure Enclave — a component built specifically to safeguard and process sensitive data.

An attacker would need physical access to your device and a flawless representation of your face or fingerprint.

Apps that offer biometric authentication never have direct access to that data. Instead, a request is sent to the Secure Enclave. It verifies your identity by ensuring the stored mathematical representation of your face matches the one currently being presented.

So, what does all this mean?

A theoretical attacker needs physical access to your device and a flawless representation of your face or fingerprint. Obtaining both is incredibly difficult.

The chances of someone breaking into the Secure Enclave area also extremely slim. And even if they did, they wouldn’t find a picture of your actual face.

Passkeys: An exciting future

The bottom line is that passkeys are safe and convenient for the vast majority of people. That’s why we’re so excited about this new kind of login credential, and are working hard to make passkeys simple enough for everyone to use in their daily lives.

Of course, 1Password will continue to protect your traditional passwords. But we look forward to helping you create, store, and sync passkeys too, so you can live an even simpler, more secure life online.

Subscribe to our passwordless newsletter

Read the latest passkey announcements by 1Password, as well as helpful guides, explainers, and community chatter about passwordless authentication.

Subscribe to Beyond Passwords

Nick Summers

Content Marketing Manager

7 common misunderstandings about passkeys | 1Password (1)7 common misunderstandings about passkeys | 1Password (2)

Tweet about this post

7 common misunderstandings about passkeys | 1Password (2024)

FAQs

What are the downsides of passkeys? ›

The disadvantages of using Passkeys include: they are not yet widely adopted, they need extra software and hardware, and they can be costly, and businesses may need to budget for implementation.

Why are passkeys a bad idea? ›

For example, if you use a passkey to log in to an app on your phone, you'll still need a password on your laptop if you want to use a browser that doesn't yet work with passkeys. Getting passkeys set up on your various devices can be tricky because things don't always sync seamlessly.

What happens to passkeys if you lose your phone? ›

What happens if a user loses their device? Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices.

Do passkeys work without internet? ›

No! You don't need an internet connection to use your passkey because it's stored locally on your device. This means that you can use a passkey on your phone to unlock your computer, without the need for an Internet connection.

Can passkeys be stolen? ›

Can thieves access passkeys from a stolen device? If an attacker steals your phone, they can't access your passkeys right away. The theoretical attacker would still need to unlock your device. You might have Touch ID, Face ID, or another kind of biometrics set up.

Should I move to passkeys? ›

They can't be guessed, leaked, or stolen, and they stop phishing attacks in their tracks, according to those behind the technology. Passkeys are widely considered to be more secure than passwords.

Can I still use a password if I have a passkey? ›

In some rare cases, you may be asked for your password even if you have a passkey on the device. To try to trigger the prompt for your passkey, you can use the "Try another way" option.

Are passkeys hackable? ›

The private key portion of the key pair used in passkey authentication cannot possibly be stolen or hacked.

How do I remove passkeys? ›

Where Passkeys are Stored. For Apple users, they are saved to their personal Apple iCloud Keychain. While Apple users can remove their passkey right there, Windows users have to search a bit. Android users can delete their passkeys via the Google Password Manager.

Does Apple use passkeys? ›

Since passkeys aren't exclusively the domain of Apple, once it's fully launched, you should be able to generate them on non-Apple devices for passwordless sign-in with your Apple ID, too, using Android or Windows using either the Chrome or Edge browser, which each support passkeys.

Does Google use passkeys? ›

Passkeys are a simple and secure way to sign in to both your Google Account and all the sites and apps you care about — without a password.

Are passkeys more secure than 2FA? ›

Unlike passwords and 2FA codes generated from shared secrets, passkeys create unique, signed challenges for each authentication attempt, making replay attacks impossible. Gibson acknowledged that while the cryptography underlying passkeys is vastly more secure, user perception could be a potential stumbling block.

Are passkeys phishing resistant? ›

Passkeys offer a compelling combination of security and convenience, making them a powerful tool against phishing attacks. By eliminating the need for passwords and leveraging strong cryptographic principles, passkeys provide a phishing-resistant authentication method that enhances both user experience and security.

How to use passkeys with one password? ›

In the 1Password apps

If you aren't already using 1Password, select Sign In > Enter account details. Enter the email address for your test account and select Next, then select Sign in with passkey. Follow the steps to authorize your passkey using your iOS or Android device.

Where are passkeys stored? ›

On Android, passkeys can be stored in the Google Password Manager, which synchronizes passkeys between the user's Android devices that are signed into the same Google account. Passkeys are securely encrypted on-device before being synced, and requires decrypting them on new devices.

What are the disadvantages of key based authentication? ›

3 Drawbacks of keys

Second, keys can pose a security risk if they are lost, stolen, or compromised. If someone gets access to your private key, they can impersonate you and access your servers. Third, keys can create compatibility issues with some systems or applications that do not support key-based authentication.

Are Apple passkeys safe? ›

Passkeys are more secure than passwords, because they're uniquely generated for every account by your own device, and are less vulnerable to phishing. And they work on all your devices that are signed in to the same Apple ID.

Are passkeys better than 2FA? ›

"Everything about passkeys is superior to everything that has come before it," Gibson asserted. Unlike passwords and 2FA codes generated from shared secrets, passkeys create unique, signed challenges for each authentication attempt, making replay attacks impossible.

Top Articles
Latest Posts
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 5773

Rating: 4.6 / 5 (46 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.