Passkeys vs. Security Keys: How Do They Work? - Experian (2024)

What Is a Passkey?

Passkeys are a new passwordless way to sign in to online accounts that may be easier and safer than passwords. They rely on public-key cryptography, which is similar to the encryption that allows you to browse the internet securely and that's behind blockchain technology.

Instead of creating a password for your account, you can use a device (such as a phone or tablet) or password manager to create a passkey. When you try to log in to your account using a passkey, you may need to enter your device's PIN, scan your finger or scan your face.

In practice, using passkeys might feel similar to signing in to an account by scanning your face or finger with an autofilled password. But it's very different behind the scenes.

Each passkey is made up of a pair of private and public keys. When you log in, your device authenticates your identity using your private key. But, unlike with passwords, the other party never knows or finds out your private key.

What Benefits Do Passkeys Offer?

The new passwordless approach offers many potential improvements:

• You don't need to choose or remember your passkeys. Unlike passwords, you can't choose—and don't have to remember—your passkeys. As a result, you don't have to worry about losing or forgetting your passwords, and you don't have to deal with frustrating requirements to create secure passwords with certain characters or lengths.
• Companies don't know your private key. Other companies never have access to your private key, which also means hackers can't steal your passkeys during a data breach.
• Signing in might be easier. Depending on how you set up your passkeys, you may be able to access your accounts using the same PIN or biometrics, such as a fingerprint or face scan, that you use to unlock your device. If you create and store passkeys with a password manager, you might be able to sign in to websites with a single click.
• They can be single or multi-device. Some services, such as iCloud Keychain and Google Password Manager, can store and sync passkeys between your devices. You may also be able to create passkeys that can't be shared, which might increase security. Either way, if you have multiple accounts for the same website, you can create a different passkey for each account.
• Passkeys can prevent phishing. Scammers use lookalike phishing websites and social engineering to trick people into sharing personal, account and financial information. But you don't know your passkeys and they're unique to the website that you want to access. As a result, the passkey won't work if you try to log in to a phishing website.

Passkeys are still relatively new, and some of the services you use might not support them yet. You also might occasionally run into issues—particularly if you're trying to get your passkeys to sync across devices that are from different companies (such as a Windows machine and an iPhone). However, passkeys are widely seen as a safer upgrade to password-based authentication, so keep an eye out for this new option.

What Is a Security Key?

A security key is a physical device that you can use to help secure your accounts. They often look like small USB sticks and may have a fingerprint scanner and near-field communication (NFC) capabilities.

You can use some security keys to create and store single-device passkeys, but they're more often used with passwords for multifactor authentication (MFA)—a commonly recommended security measure.

Generally, your username and password will be the first factor. The second factor may be something you have (such as the security key or your phone) or something you are (such as your fingerprint).

To use a security key for authentication, you'll need to register it with the account you want to secure. Then, when you try to log in to your account, you may need to insert the key into your computer and tap it or use it to scan your finger. If you want to sign in on your mobile device, you may need to insert the security key or hold the security key near your phone.

What Benefits Do Security Keys Offer?

Security keys can help keep your accounts safe in several ways.

• They are more secure than other types of authentication. A security key can be a safer option than some forms of MFA. For example, someone might be able to intercept or trick you into sharing a code that's sent to your email or texted to your phone number. But they need to steal and break into your physical security key before using it to access your accounts.
• Security keys can prevent phishing. Security keys are registered to your accounts and won't work with lookalike phishing websites.
• They may offer passwordless authentication. Some security keys can be set up to enable passwordless logins. However, this is more commonly used with employees who need access to their work devices and systems than with regular consumer devices.

Security keys may be safer than using other forms of MFA, but they only work with websites that allow you to turn on MFA and support security keys. Yubico, a popular security key maker, has a directory that you can review.

Passkeys vs. Security Keys

Passkeys and security keys aren't an either/or option. You can use passkeys with some accounts and MFA via a security key with others. You could even use a security key to store your passkeys. However, if you're thinking about using either of these options to improve your online security, keep the following in mind.

Passkeys Are Free—Security Keys Are Not

One clear difference is that passkeys are free to create and use. Although you'll need to start using a password manager, the free options that come with your device or web browser may support passkeys.

Security keys can cost around $25 to $85 each, and you may want to purchase at least two in case one is lost or damaged.

Both Require a Learning Curve

Setting up and using passkeys or a security key for the first time can require a little research. Although we covered some of the basics, the exact process will vary depending on which password manager, devices, operating systems or security keys you use. You can look for tutorials and guides online.

Once you're set up, either option could help protect you from account takeover fraud, identity theft, loyalty account fraud and all sorts of other online threats.

Security Keys Might Be Less Convenient

Passkeys might not require a big shift in your usual processes, especially if you already use a password manager. If you don't use a password manager yet, this might be the change that gets you to start, and that's a good thing for keeping your accounts safe.

A security key could also be convenient if you leave it plugged into your computer—assuming you have an empty port available. However, you might also want to carry a security key when you're away from your computer, and you have to worry about losing or damaging the device.

Monitoring Your Identity and Credit for Changes

Keeping your online accounts secure is an important part of protecting yourself from hackers and scammers. Even if you're not ready to switch to passkeys or buy a security key—or you have accounts that don't support either option—consider using a password manager to create strong and unique passwords for all your accounts.

You can also sign up for free credit monitoring to alert you if someone tries to open a new credit account using your personal information. And if you want to try a more robust identity protection plan that can warn you if your information is found on the dark web, there are changes to your financial accounts or someone uses your Social Security number, Experian IdentityWorks℠ Premium and Family have a seven-day free trial if you want to see how they work.