What is a passkey? And why are they better than passwords? (2024)

What is a passkey?

At a time when both businesses and individuals are constantly looking for improved methods to secure their digital identities, one innovative technology is coming to the fore – the passkey.

Passkeys signify a leap toward a password-less era, championed by tech giants like Google, Apple, and Microsoft. By removing the ubiquitous password hurdle, passkeys provide a more seamless and secure method of authentication that can counter cyber threats such as phishing and brute force attacks.

This technology goes together with the drive for increased security and ease of use in the digital world. In this article, we will take a closer look at the passkey, how it works, and its potential cybersecurity benefits and challenges. Amidst an ever-growing threat environment, the passkey could be a game changer, paving the way for more robust security protocols in the online world.

How secure is passkey?

Passkeys offer a revolutionary leap in digital security as they eliminate the need for traditional passwords. Unlike passwords, passkeys do not rely on shared secrets; instead, they utilize a cryptographic technique where only a public key is stored on the server, and the private key remains on the user’s device.

This system prevents attackers from intercepting passkey data in transit or stealing it from compromised server databases, bolstering passkey defense against phishing and unauthorized access. Moreover, because passkeys are unique to each site and device, they significantly reduce the risk of widespread account breaches.

How do passkeys work?

Passkeys enhance online security by leveraging a type of user authentication that relies on public key cryptography. Essentially, a passkey is a unique digital credential that is created and stored on a user’s device, such as a smartphone or computer. When you attempt to access an online account, the passkey confirms your identity securely without transmitting a password. Here’s the simple process:

Creation: When you log in to a service, your device creates a passkey. This involves generating a pair of cryptographic keys – a public key that is shared with the online service and a private key that remains securely on your device.

Authentication: To sign in, the service sends a challenge to your device. Your device signs this challenge with the private key, which can only be unlocked with a factor like a fingerprint, face scan, or a PIN.

Verification: The online service verifies the signed challenge using the public key, confirming your identity without ever seeing or storing your private key.

This method means that even if a service is compromised, your passkey remains secure because there’s no actual password or private key stored on the server. It’s a revolutionary step forward in eliminating traditional password vulnerabilities and making sign-ins more seamless and secure.

Which websites and apps support passkey?

Many websites and apps now integrate passkeys in line with industry-wide security standards, enhancing user authentication security and convenience. This move towards a passwordless future is propelled by the simplicity and enhanced security that passkeys provide over traditional passwords.

Notable platforms like PayPal, LinkedIn, X (formerly known as Twitter), WhatsApp, and Amazon have adopted passkey support, allowing users to leverage this technology for a seamless and secure sign-in experience across various platforms. In particular, Amazon has harnessed passkeys to enable secure access and transactions on its platform through iPhone devices. The adoption of passkeys reflects a broader industry trend aiming to mitigate the vulnerabilities associated with conventional password-based authentication systems, by offering a more secure and user-friendly alternative.

This adoption is further backed by the standards set by global consortiums like the World Wide Web Consortium (W3C) and the FIDO Alliance, which promote passwordless authentication mechanisms, including passkeys, to enhance the overall security and usability of digital platforms.

How do I set up a passkey?

To set up and use passkeys on a mobile device, you must be running at least Android 9 or iOS 16. On desktops, Windows 10 or macOS 13 Ventura or higher must be installed. You must also be using a supported browser (Safari 16, Google Chrome 109 and Microsoft Edge 109) or newer. In addition, any FIDO-certified security key can be used, including NFC and USB-based physical keys.

Setting up passkeys with Google

Passkeys can be made with the website or app you want to use but doing it through your Google account is easier. If you use an Android device, it makes passkeys for you when you sign into Google. Here’s how you can set it up:

• Go to your Google profile.
• Click on Manage your Google Account > Security > Passkeys.
• Click the blue Use passkeys button.
• On a device that doesn’t have a passkey yet, click Create a passkey.
• Click Continue to add the device you’re using as a passkey.

Setting up passkeys with Apple

First, you need to enable the iCloud Keychain, so that your device can synchronize with other Apple devices.

How to enable iCloud Keychain in iOS 16:

• Open the Settings app on your Apple device.
• Click on Passwords, then click Password Options.
• Enable AutoFill Passwords and allow iCloud Passwords & Keychain.

You will also need to enable two-factor authentication for your Apple ID:

• Open the Settings app on your Apple device.
• Click on your name.
• Click on Passwords & Security.
• Click on Turn on Two-Factor Authentication and follow the prompts.

How to set up passkeys for a new account on your iPhone:

• At the login screen for a supported app or website in Safari, sign in for a new account with an account name, email address or whatever is asked.
• When passkey is supported, a pop-up will appear and ask if you want to save a passkey. Click Continue.
• If the pop-up doesn’t open immediately, look for an option to select passkey or a form of other authentication.

How to set up passkeys for an existing account:

• Log into the account, you want to set up.
• Open the account management for that app or website.
• In the account settings, search for an option that contains security or password settings.
• Generally, you will see an option to add a passkey, through which a pop-up appears.
• Click continue.

Lost your device? How to restore your passkeys

Since your passkeys are stored on your device, there’s no doubt that losing or damaging your device with passkeys is a concern. However- the cross-device functionality of passkeys offers a silver lining: you may have a backup available. A variety of services that support passkeys also allow a re-authentication using your phone number, email address or a hardware security key, if you have one.

Understanding the benefits of passkeys

Passkeys utilize cryptographic key pair technology, ensuring that each login is both strong and unique. This innovative approach eliminates common password vulnerabilities, such as susceptibility to phishing attacks or exposure from data breaches. Moreover, passkeys streamline authentication with straightforward verification prompts on user devices, eliminating the hassle of memorizing complex passwords.

By leveraging the inherent security features of a user’s device, passkeys also make unauthorized access significantly more challenging for cybercriminals, providing a robust layer of protection for online accounts.

What are the downsides of passkeys?

Passkeys come with several drawbacks despite their security benefits. Primarily, their adoption rate is low, making universal access a challenge. Their functionality often depends on additional software or specialized hardware integration, potentially adding complexity and costs. Furthermore, the initial investment and ongoing maintenance for implementing passkeys can be significant, potentially straining the budgets of smaller businesses.

For a deeper understanding, passkeys are a relatively new technology, and many users and platforms are still accustomed to traditional authentication methods. This means that compatibility can be an issue, with users needing to navigate between systems that do and do not support passkeys.

Moreover, while passkeys aim to enhance security, they can create new logistical hurdles, such as the need for robust backup solutions if the user’s primary device is lost or compromised. These factors collectively present notable obstacles that organizations and individuals must consider before adopting passkeys.

Why are passkeys important?

Passkeys are essential as they offer a superior alternative to traditional passwords by enhancing security and simplifying the authentication process. By leveraging public-key cryptography, passkeys eliminate common risks associated with password breaches, phishing, and other forms of cyberattacks.

They are uniquely generated for each site, never stored on a server, and remain on the user’s device, making them virtually impervious to theft. This passwordless system not only strengthens protection against unauthorized access but also streamlines the login experience, offering a quicker, user-friendly approach that doesn’t compromise on security.

Related articles:

What is a password manager?

What is a passphrase?

What is authentication?