Everything You Need to Know About Passkeys: The New Alternative to Passwords
According to some, passkeys could potentially mark the death knell for traditional passwords and how we keep our online accounts safe from hackers. The aim of this innovative new form of cybersecurity technology is to keep accounts more secure than passwords can.
They will also save us from remembering hundreds of passwords that we keep forgetting anyway and having to change countless times throughout the year. In short, passwords could eventually become a relic of the past. Password managers already exist, and for some people, they are a great way to keep all those different account passwords safe and secure in the same place.
However, even today's best password management service providers aren't impenetrable from cyberattacks. Their systems can easily be breached, meaning your passwords could easily be stolen. In fact, it has already happened – LastPass was breached in 2022, and OneLogin was hacked in 2017. Another way your account passwords can be hacked is if you have a weak password and a hacker manages to guess that password.
If you use a similar password that's easily guessable across all your accounts, you could potentially leave yourself open to an even bigger hack.
Passkeys have been designed to increase the security of your online accounts by using passwordless login instead of the standard password system. Each passkey used to access your online account is essentially a unique digital key that can only be used on one occasion. They come with an added layer of protection with tighter encryption, stored locally on your device rather than on a company's server, which could potentially be breached by cyber criminals and hackers purposely looking to exploit weak systems and steal important data.
If you've heard about the passkeys and have considered using them to access your accounts instead of passwords, here is everything you need to know about this exciting new alternative to passwords. You can also discover which services and devices currently support passkeys.
The trouble with passwords
A computer science professor at MIT (Massachusetts Institute of Technology), Fernando Corbato, invented the world's first-ever digital password in 1961. He was looking for a way for multiple users to work on a shared computer, and he came up with the simple idea of a password, which then became the norm for accessing digital accounts. Today, we use them each time we go online and sign into our accounts, and they are something we couldn't do without.
Passwords can be anything you want them to be, but some website accounts have different requirements to ensure your account is more secure. They must usually be at least four characters long, but the safest passwords tend to be the ones that contain ten or more characters. Hackers can easily access people's accounts with weaker passwords like 1234567 or 1111111, for example.
The stronger passwords that are much more difficult for hackers to guess usually contain a mixture of numbers, letters, and symbols (e.g., %, !, @, #, or ?). The problem with this is that although passwords like this are far more difficult to guess, they are also a lot more difficult to remember.
People are advised not to use the same password for multiple accounts for obvious reasons. It means they now have to try to remember 10 to 20 or more difficult passwords, which is impossible for millions of people. The main difference between passwords and passkeys has been described in the following way: passwords are more like secrets that humans can read and transmit over the web, whereas passkeys are more like a possession-based authentication method with added layers of encryption.
Passwords are far more prone to being guessed, and people who use them are more likely to have their accounts hacked. Passkeys are completely different. They bring new levels of security to online accounts that were previously unimaginable. They have also been described as having an unphishable primary factor at the point of user authentication, which almost every modern computing device naturally has built-in.
Passkeys look set to be the preferred way for people to protect their online accounts going forward. The best thing about passwords is that users don't need to remember long and tricky passwords each time they want to access their accounts, and they never have to worry about accidentally saving their login credentials on a shared computer.
What exactly is a passkey?
A passkey is the newest way for users to log in to their website accounts via the internet without using the traditional password method that most of us still use. With passkeys, there's nothing to remember, and they can be used on smartphones, tablets, laptops, and desktop computers. Passkeys have been developed on the WebAuthn or WebAuthentication, which is capable of securing your account much better than passwords using public-key cryptography. It's also impossible for phishing attacks to steal passkeys.
A couple of common techniques hackers and cybercriminals use to try and steal passwords is via social engineering or phishing scams to try and breach someone's account and then gain access to sensitive data or money. It's different with passkeys. Users are given a private and public key. The public key stays on a company's server, but the private key is stored locally on your device; therefore, it's more difficult for a hacker to obtain easily.
How passkeys are created and used
When you next visit a website that supports passkeys like the ones revealed further down on this page, instead of using a password to access your account, you will be able to create a new account and use a passkey.
While doing this, the website will request that you confirm your authenticator, meaning your smartphone or other mobile device, or even a password manager service that supports passkeys. Before you can gain access to your account, the authenticator needs another form of verification.
It doesn't necessarily mean your master password. It could also mean biometrics, like your fingerprint or facial recognition. Using either of the biometric processes means there's still no need for you to remember a lengthy password as your authenticator. As mentioned above, this is where public and private keys come into play. They are now generated by the authenticator and are linked mathematically. Although the public key remains stored on the website where you are trying to access your account, your private key remains private and will only ever be stored on your smartphone or tablet device.
When you attempt to log in, a 'challenge' will be sent to the authenticator by the website's server. What happens next is that your private key solves the challenge to reveal the response that is then sent back to the server. When the server verifies that both keys are identical, you will instantly gain access to your account.
The process sounds a lot more difficult and longer than it actually is. It all happens in the blink of an eye and occurs without ever needing a traditional password. Some have even said that the process is quicker than the time it takes to log in using the traditional password method (especially when people use lengthy passwords with a mixture of letters, numbers, and symbols).
Many people are more likely to store their passkeys on their mobile devices, but they can also be used to gain access to your online accounts from a laptop or desktop computer. If you prefer using a computer to access online accounts, the website server will generate a QR code that your mobile device can scan, and then you can log in using a passkey. However, when using this method, your computer must have Bluetooth so it can establish a secure connection between both devices.
Which devices can I use passkeys on?
Passkeys may still only be a new invention, but many of today's best computers and mobile devices support this modern way for people to access their online accounts. Some of today's biggest tech companies, including Apple, Google, and Microsoft, worked to develop them using W3C and FIDO Alliance standards.
For example, passkeys have been available on iPhones since iOS 16 was released. Instead of users having to remember their passwords for authentication, passkeys on these devices use FaceID and TouchID, making life so much easier for people who don't like using the outdated password method.
For those of you who prefer using today's best Android tablets or smartphones, Google Password Manager stores and syncs your passkeys securely. Before you can use a passkey from an Android device, you would first need to activate your screen lock to prevent other people who may end up in possession of your phone from using your passkey.
For those of you who prefer using a Windows 10 or 11 desktop or laptop computer and want to use passkeys to access your accounts, you will need to use Microsoft's Windows Hello. Your passkeys are synced with your Microsoft account, meaning using them on other devices is possible, provided you're logged in.
Additionally, the Firefox (version 60 or higher), Safari (version 13 or higher), Microsoft Edge (79 or higher), and Google Chrome (79 or higher) web browsers support passkeys.
What happens if you upgrade your smartphone?
You may have been wondering what happens with the passkeys stored locally on your smartphone, especially if you have been considering upgrading your current model. Don't panic because passkeys can be transferred from your old device to your new device in just a few simple steps.
For example, when you set up your new Android mobile device and move your apps and other data to it, the end-to-end encrypted passkeys are also transferred to the new device. However, in certain scenarios, for example, if your old smartphone was damaged beyond repair, stolen, or lost, you would need to recover your passkeys from a secure online backup.
It means you would have to provide your lock screen pattern, password, or PIN from your old smartphone that has access to those passkeys. It's also relatively straightforward when upgrading your iPhone because your passkeys are kept securely in your iCloud Keychain. All you need to do is log in to your account with your Apple ID from your new iPhone and then respond to the SMS sent to a mobile number you trust.
At this point, you must enter the device passcode. According to an Apple support document, you only get ten attempts to authenticate on your macOS, iPad OS, or iOS.
Which websites now accept passkeys to log in?
On top of setting up passkeys on your desktop or mobile device, before they can be used to access certain accounts, you would first need to find websites and services that support this way of logging in. Examples of sites that accept passkeys are Nvidia, Best Buy, PayPal, and eBay, to name a few. For a complete list of passkey-accepting websites, don't forget to check out the passkey directory on the 1Password website.
They also have a useful search engine, which makes it much easier to see if your favorite websites accept them, instead of manually searching through the directory. Over the coming months, it's also likely that even more websites will be added to the directory as this form of technology becomes more popular.
Will passwords ever be completely replaced by passkeys?
Most people haven't even heard of passkeys, and others who have heard of them may prefer using passwords still because that's what they have used all their lives. However, there are flaws in passwords, and as people make their passwords more complex to prevent hackers from gaining access to their accounts, they are becoming much harder to remember.
These reasons alone could mean that the traditional password system's days may be numbered. Only time will tell. Passkeys are far more secure and a much easier system, so there's a good chance they will end up becoming more popular than passwords. We could even see passwords completely disappear, but this won't happen overnight. If you want to protect your accounts as much as possible, then you may not want to get left behind, so you may want to think about using them before it's too late.