A passkey is a new way to log in that skips the need for usernames and passwords entirely. Instead of using traditional methods that are vulnerable to phishing and hacking attacks, passkeys allow websites and apps to verify your identity securely. They only exist on your device, so there’s nothing for fraudsters to steal.
Cybersecurity experts have long highlighted the need for strong passwords, yet many users still pick easy-to-guess ones or reuse them across sites. To combat this, two-factor authentication (2FA) was introduced, requiring a code sent via text or email to complete a login. However, savvy hackers have gotten around 2FA, too, making it only slightly more challenging for them.
So, how does a passkey actually work? When you try to log into a site that uses passkeys, it sends a notification to the smartphone you registered. You unlock your phone with a face scan or fingerprint, and it generates a unique passkey that connects with the website. You get logged in without needing to type anything out or send sensitive data over an unsecured Wi-Fi network. Unlike 2FA, which often relies on Wi-Fi, passkeys use Bluetooth to ensure your device is nearby, further enhancing security.
Passkeys are built on the Web Authentication API and are site-specific. They stay on your device, not on servers, making them less vulnerable to data breaches. For instance, Apple offers a well-rounded explanation of how passkeys operate within its ecosystem, using its iCloud Keychain to manage cryptographic keys securely. If you ever lose your device, you can still recover your keys.
The concept of passkeys dates back to 2009 when Validity Sensors and PayPal collaborated to replace passwords with biometrics. They, along with other tech giants, formed the FIDO (Fast Identity Online) Alliance, pushing for better online security. By 2014, PayPal and Samsung rolled out FIDO authentication with the Galaxy S5, allowing users to make transactions simply by swiping a finger.
Recent surveys, like the FIDO Alliance’s ‘Consumer Password & Passkey Trends,’ show that more people are opting for passkeys instead of passwords. Passkeys are inherently more secure because each one is unique and can’t be reused across platforms. Since they’re generated automatically, users don’t struggle with memorizing complex passwords or sticking to simple ones.
The technology behind passkeys involves end-to-end encryption, meaning even the companies that create them can’t access or alter them. Apple’s approach includes public-key cryptography, where one key is stored on the website’s server and another, private key, stays on your device. This structure keeps your login info secure against breaches. If someone falls for a phishing attempt, it wouldn’t matter because the passkey only works for the specific site that created it.
Awareness of passkeys has surged. In mid-2022, major players like Apple, Google, and Microsoft announced a push to make passkeys a standard authentication method. Apple integrated passkeys into its iOS 16 and macOS Ventura releases. Users can create accounts and log in using biometrics instead of passwords, with iCloud Keychain backing them up across Apple devices.
Google and Microsoft have also adopted similar technologies. Google supports passkeys in Chrome and on Android devices, while Microsoft includes them in its Windows Hello program for secure logins. Companies like GitHub, Facebook, and Verizon are also jumping on the passkey bandwagon—this list keeps expanding.
As more organizations drop traditional passwords in favor of passkeys due to rising security concerns, users are feeling the frustrations of managing many passwords. A survey by the FIDO Alliance found that 87% of decision-makers have implemented passkeys in their organizations. As new ways to log in emerge, the shift toward passkeys seems set to continue.