Summary
- Passkeys allow you to securely log in using your devices instead of typing passwords.
- Passkeys offer more protection than passwords by requiring device possession and biometrics for login approval.
- You should embrace passkeys for their convenience and security benefits.
Passwords are a pain. Secure passwords need to be unique, complex, and are difficult to remember. Even the best passwords can still be leaked or phished, leading to account takeovers. Passkeys are supposed to solve all of these problems, but do they, and are they worth the time to set up?
Passkeys are a way to log into your online accounts without a password. The "passkey" itself is stored on a device you own: your phone, laptop, or tablet can act as a passkey, or you can use a hardware security key like a Yubikey.
When you log in with a passkey, instead of entering a password, you either authorize the login with your device (which is secured with a PIN, fingerprint, or face scan), or tap your security key.
Yubico YubiKey 5 NFC
The Yubico Yubikey 5 NFC is the best security key for people looking for the perfect balance of cost, features, and functionality with FIDO multi-protocol support.
How Do Passkeys Work?
Passkeys use the WebAuthn standard which generates highly secure cryptographic key pairs on your device, sharing a public key with the online service which can be used to verify a login attempt using the associated private key on your device. The private keys are never shared with the service, and the public key that the service has access to cannot itself be used to log in, so if it leaks, your accounts remain safe.
Some passkey implementations let you back up and sync your private keys between devices (for example, using iCloud Keychain or Google Password Manager), so if you lose your phone, you can still log in from a synchronized tablet or laptop, or restore your keys to your replacement device. This is optional, and those who want extra security can opt not to enable this, or use hardware security keys.
Passkeys implemented by members of the FIDO Alliance (which includes Google, Microsoft, and Apple) are designed to work across platforms and services, so you should only need to get set up with one of them.
How Do Passkeys Protect You Better Than Passwords?
Passkeys work by proving that you have possession of your device to log in to an account. This, coupled with the biometrics used to unlock your device and approve the login, makes it incredibly difficult for someone else to gain unauthorized access. When your password leaks online, anyone can use it to log in to an account, but this is almost impossible with passkeys tied to a device that must be in your possession and unlocked to approve a login.
Accounts tied to passkeys will still usually need a username and password pair for setup and recovery purposes, but removing the need for you to enter your passwords greatly improves security. You can make your passwords really complex and secure them in a password manager (knowing you won't need to remember them), and it makes it more difficult for you to fall victim to phishing attacks. Being asked for your password instead of a passkey may indicate an illegitimate website, and passkeys only work for the specific site they were set up for (not phishing imitators).
So, Should You Use Passkeys?
Yes! Security considerations aside, passkeys are just way more convenient to use than passwords. No remembering different passwords for each app or website, no typing in frustrating complex passwords and trying to find symbols on your on-screen keyboard. Just make sure you've got your passkeys (and your devices) backed up, or if you're using hardware security keys, that you've set up a fallback device that's stored somewhere secure.
You can set up passkeys on your Apple, Google, or Microsoft accounts and devices. Many other services also directly support passkeys for logging in, and those that don't often let you sign in with an account that does (for example, using the "Sign in with..." feature to sign in with your Google account on a different site).