If you use a phone or computer at all, you’ve probably noticed services prompting you to create passkeys for logging in. And you’ve probably been hitting “not now” to avoid them. Who needs yet another authentication step to remember?
But beneath that layer of friction, passkeys represent the biggest leap in personal security since the invention of the password itself. They aren’t just a new type of code to remember; they are designed to be the end of the “remembering” era. And it may be time to accept them.
What are passkeys?
Passkeys are digital credentials that were created specifically to address problems resulting from the internet’s reliance on passwords. Passwords are tough for users to manage, onerous for services to protect, and relatively easy for crooks to steal. Passkeys, on the other hand, are designed to be more or less invisible, use the strong authentication users already have on their devices, and be impossible to give away.
Standards around them were created by the FIDO Alliance, which includes Apple, Google and Microsoft, most major password managers and several governments, including Australia’s.
When you create a passkey, a pair of codes is generated. A private code stays with you, encrypted on your device or a secure service. A public code goes to the app or website you’re logging in to. Any time you log in, rather than your device sending a key online, the web service essentially sends the lock to your device, so it can be opened in private.
There is no password that the app can lose, or that crooks can take from you. As a user, all you should ideally need to do is create the passkey and then never think about it again.
Why every app is asking you to make one
From the perspective of apps and services, passkeys are far superior to passwords. Fewer people relying on passwords means there’s less of an incentive for crooks to try to break into services, or to harvest passwords from elsewhere and stuff them into important platforms they can steal from.
It also greatly lessens the impact of phishing. At present, many attacks involve tricking a user into supplying their passwords, but passkeys are cryptographically tied to a specific website or online platform, so your device can’t be fooled into giving your OpenAI password to a site called OpenA1.
There’s also a lot of friction and frustration involved with maintaining security around passwords. At present, users need to remember their passwords, verify their identity with two-factor authentication SMS codes, and have a secure path in place to reset their password if forgotten. Passkeys can streamline all that.
Here’s an example
Imagine you open the PayPal app and log in with your email address and password as usual. Maybe there’s an additional step, like a text with a one-time code. Then the app suggests you add a passkey, with a page explaining some of the benefits. You agree.
Next, you see a pop-up asking you to confirm the passkey. But this pop-up does not come from PayPal, it comes from your device’s operating system. It’s similar to when apps let you use Face ID or fingerprint for logging in. You are not creating a password that PayPal is responsible for storing, but rather a key that will remain with your device or chosen service.
For this example, let’s say we’re on an iPhone and have Apple’s default Keychain in charge of passkeys. You confirm the passkey on the prompt, which adds the private PayPal code (the key) to your device’s Keychain, and the public code (the lock) to your PayPal account. Next time you log in, you’ll use this key to unlock the app with the same method you use to unlock your device.
Beating prompt fatigue and fragmentation
If you’ve had a bad experience with passkeys, or you’re just sick of being asked about them, you’re not alone. Because each individual app and service is prompting you to switch, it feels like many individual tasks. And if you use a few different devices or password services, you probably have several ecosystems actively competing to store your passkeys, resulting in the same old problem of “now where did I put that password?” The solution is to think of passkeys as a big collection of actual keys, which you want to take control of and put on the same keyring.
For example, if you solely use Apple devices, you’ll want to use iCloud Keychain. If you’re mostly going to be logging in on an Android phone, use your device’s default Autofill service. Google and Microsoft have account-based passkey managers that work across their various devices, apps and operating systems. On the odd occasion that you use a different device that doesn’t have access to your passkey, most of these will generate a QR code to get it, and verify your device is physically nearby via Bluetooth.
If you’re going to be moving around a bunch of different devices, you should look at a third-party option such as Bitwarden, 1Password or Dashlane. These can be installed as apps or extensions on all your devices. The only friction is that you will have to instruct each of your devices to use it as default, and turn off other services such as iCloud Keychain, to avoid doubling up. Choosing a vault is important for keeping things simple, but you’re not locking yourself in forever. The FIDO Alliance has created a mechanism that will let you put all of your credentials into a file and send it (fully encrypted) from one provider to another.
For the power user, or ultra security conscious, there are also physical USB devices you can use to store passkeys.
Are there downsides to passkeys?
Compared with passwords, passkeys are more secure. But they aren’t impossible to circumvent, and the security risks are slightly different. With passwords, a criminal might find your secret code by breaking into a web service, or because some app didn’t store it securely enough. They can take that and jam it into other services, hoping that you’ve been reusing passwords. This can’t happen with passkeys. Criminals might also pretend to be legitimate services and ask for your password, stealing it to use on the real service. This also can’t happen with passkeys.
If you think of passwords as writing down a secret and sending it out for each service to store, passkeys are more like a physical set of keys you own, and the services bring the locks to you. But obviously that means if a criminal does swipe your keys (i.e. takes your phone or laptop, and has access to the PIN or biometrics you use to unlock it), they could use all your keys.
The other downsides are already present in secure password practice. Passkeys may mean you become more reliant on a certain ecosystem (i.e. if you store them with Apple it becomes more annoying to switch to Android), and if you don’t create proper recovery methods, you could end up locked out of everything if something happens to your devices.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Tim Biggs is a writer covering consumer technology, gadgets and video games.Connect via X or email.
