We’re all tired of passwords. While thelatest password managersmake them easier to create and control, they’re still a pain and dangerous if stolen. When it comes to security, passwords often feel like a necessary evil.
For the past several years, passwords have been replaced by new options. From Apple’s iOS FaceID to the little swipe patternsome Android phonesallow you to use, more and more logins are ditching passwords and passcodes. From a technical perspective, what’s taking its place?
That’s called a passkey. This technology works behind the scenes and is responsible for a growing amount of everyday security. Here’s how it works.
Passkey vs. password: How passkey technology works
A passkey is a form of encryption technology that lets you log in to devices, apps, and services without a password. Passkey technology creates a private key and a public key. Both are long, complicated codes. The private key lives on your device. No one, not even the platform creators, knows what it is, so services can reuse it safely. The public key lives on company servers or software that you are trying to use. It doesn’t say much about you. If it is stolen, hackers can’t access accounts or sell the information to others.
When you log in to a device or service, the private and public security keys go through a quick handshake process (it’s like a little math puzzle), solve that puzzle, and unlock it. There’s nothing to memorize, no worries about not including enough random symbols in your password, and no extra steps. Your login credentials stay secure for reasons we’ll touch on more below.
The concept was created by the FIDO Alliance, which is an alliance of major tech, finance, and security companies like Apple, Google, Microsoft, Amazon, Dashlane, PayPal, Samsung, Visa, and Mastercard. Its goal is to push consumers into a password-free or passwordless future because password protection (and a lack thereof) is a headache to businesses like these.
Is a passkey more secure than a password?
Generally, yes. First, you don’t have to memorize a password, and no one will be leaving a passkey around on Post-It notes on their Windows PC or Mac for others to find. There’s no such thing as a “weak” passkey, and hackers can’t attempt to brute force it with common phrases. If data breaches occur, public keys don’t activate anything alone. This also makes many phishing attacks to get mothers' maiden names and the names of first pets useless. But something deeper is at work.
When you use a passkey, you still need to log in. How does the passkey know it’s you and not anyone with the right device? The answer is usually biometrics, using your face or fingerprint or something similar that identifies you as the account owner. In other situations, like on certain Chrome services, you’re asked to enter a code throughtwo-factor authentication. Sometimes, you’re assigned a private PIN or can create a login process for something like a phone. The keys are created with WebAuthn or the Web Authentication standard, which uses public-key cryptography, to run through the process described above and keep everything safe.
Do passkeys have any additional benefits?
They’re fast. Passkeys are speedy to set up and use. Physical inputs are kept to a minimum. Because they live on your device, they allow various things that passwords can’t, like swipe-to-pay or wallets that store your tickets. Plus, you don’t have to keep thinking up or memorizing strong passwords, even master passwords that you would use for something like 1Password.
1Password embraces passkey support on mobile
Cross-platform passkey login and storage is nearing
How do I get a passkey?
If you use a device or service that has a passkey, you’re prompted to choose a PIN or create an access process with biometric information. That’s why Galaxy phones ask you to roll your thumbprint around for a while and why iPhones want a good look at your face. Usually, that’s all you need to do. It’s a common experience when managing your Google account, iCloud keychain, or other common setups.
In some cases, like logging in to online services, you’re asked to set up two-factor authentication with an email or text. Some use QR codes, but that’s rare.
Is a password ever better than a passkey?
Passkeys offer incredible benefits in specific situations but aren’t everywhere yet. They still struggle in some situations. You’re more likely to find them with companies that are part of the FIDO Alliance, including PayPal, Google, and Microsoft, and Apple. Apple was one of the first to use passkeys and the one with the fullest support for passkey technology thanks to its enclosed ecosystem. While acceptance continues to grow, support isn’t everywhere, and some industries are slower to adopt passkeys than others. So passwords are far from dead.
One reason passwords linger is that they don’t need the tech infrastructure that passkeys require. From a business standpoint, they’re cheaper to use. Passwords are also universal. Everyone knows how to use them, and they don’t care what device you’re using or what browser you pick.
Finally, all the biometric requirements common with passkeys make some people nervous. Having Apple scan your face or multiple services get your fingerprint can feel invasive. Passwords, while clumsy, aren’t permanently linked to a person.
Are passkeys replacing password managers?
Not really. Notable password managers like LastPass and Dashlane are part of the FIDO Alliance and use WebAuthn technology to protect their passwords. Password managers can also keep PINs and other security information that passkeys need to work.
Welcome to your passwordless future
Passkey cybersecurity is here to stay and slowly but surely replacing the passwords we use every day. That’s a good thing. People are a bit lazy and free with passwords to make them a reliable security tool. Passkeys fix those problems, prevent millions of dollars wasted in data theft, and keep your identity secure. When you have a chance to use passkeys, don’t turn it down. They’re a future we’re looking forward to.
