Passkeys (Passkey Authentication) (2024)

FAQs

Do I still need 2FA with passkeys? ›

Do I need 2FA with my passkey? No, because 2FA is built into the passkey that is provided to the website during the login process. Each website may choose to include an additional step for logging in, though most do not.

A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor.

Like passwords, passkeys are encrypted and stored in your iCloud Keychain, where they aren't visible to anyone (including Apple). Note: To use passkeys, iOS 16, iPadOS 16, macOS 13, or tvOS 16 (or later) is required. iCloud Keychain and two-factor authentication must also be turned on.

Notably, the era of traditional passwords is coming to an end and organizations' are increasingly recognizing the need for more secure and user-friendly authentication methods. Passkeys offer a promising alternative to passwords, providing enhanced security and usability for users.

It would be nearly impossible for a hacker to guess the passkey – hence the need to physically possess the device the passkey is accessed from. Passkeys consist of a long private key – a long string of encrypted characters – created for a specific device. Websites cannot access the value of the passkey.

Multi-factor authentication (MFA) vs Passkey authentication

Passkey authentication achieves MFA in a single step. While the user only needs to perform a biometric scan or enter the device pin, the underlying authentication process combines two factors: the passkey itself and the biometric/device pin.

The disadvantages of using Passkeys include: they are not yet widely adopted, they need extra software and hardware, and they can be costly, and businesses may need to budget for implementation.

Passkeys also can't be stolen in a data breach. Only the public key is stored on an app or website's server, and it's useless without the corresponding private key. Without physical access to your device (and a way to unlock it), no one can log in to your passkey-protected accounts.

They can't be guessed, leaked, or stolen, and they stop phishing attacks in their tracks, according to those behind the technology. Passkeys are widely considered to be more secure than passwords.

You can find a list of websites that support passkeys at passkeys.io. Some well-known websites and apps that support the technology include Adobe, Amazon, Google (where passkeys now secure over 400 million accounts), GitHub, PayPal, TikTok, Nintendo, WhatsApp, Shop by Shopify, and X.

Will banks use passkeys? ›

Passkeys can be physical, for example taking the form of a USB devices or smart card. One organisation using this method is Barclays, who provide their banking customers with a card reader that generates a unique passkey each time they try to log in, or to carry out key tasks within their account.

However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple.

In some rare cases, you may be asked for your password even if you have a passkey on the device. To try to trigger the prompt for your passkey, you can use the "Try another way" option.

In 2022, for World Password Day, we launched passkeys. Today, we're proud to announce that they have since been used to authenticate users more than 1 billion times across over 400 million Google Accounts. We're also excited to announce the expansion of our Cross-Account Protection program and new updates to passkeys.

You can use 1Password to save the passkeys you create for your accounts and sign in to websites with passkeys in your browser.

If you use two-factor authentication (2FA), passkeys satisfy both password and 2FA requirements, so you can complete your sign in with a single step. You can also use passkeys for sudo mode and resetting your password.

A tale of two differences

Passwordless authentication is passwordless by definition – it's designed to replace your passwords. Two-factor authentication is an entirely different concept. Rather than replacing something, 2FA adds a step (factor) to help strengthen the security of a password-protected account.

They can't be guessed, leaked, or stolen, and they stop phishing attacks in their tracks, according to those behind the technology. Passkeys are widely considered to be more secure than passwords.

2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.