What is a passkey?
- IAM Glossary
- What is a passkey?
A passkey is a modern, passwordless authentication method that uses public key cryptography. Instead of a password, users authenticate with a cryptographic key pair: a public key stored by the service and a private key stored securely on the user’s device or in a password manager.
Authentication when using passkeys typically involves biometrics (like fingerprint or facial recognition), a PIN or a swipe pattern, similar to unlocking a smartphone. Most users will choose biometrics for convenience.
How do passkeys work?
Passkeys work by utilizing public-key cryptography to enable you to log in to websites and apps without having to enter a traditional password. Here is how they work, step by step:
1. Setting up a passkey
- User logs into their account as usual.
- In the security settings, they enable the passkey option.
- The app or website prompts the user to save a passkey tied to their device.
- If using a password manager, it will prompt the user to generate and store a passkey.
- Biometric authentication (e.g., Face ID, fingerprint) is requested to confirm the setup.
- The passkey is securely stored on the device or in the password manager.
2. Logging in with a passkey
- During subsequent logins, the user is prompted to authenticate using their stored passkey.
- No password is required, just the passkey.
3. Cross-device authentication
- If the user tries to log in on a device without the passkey, they can authenticate using another device.
- The browser may display a QR code to scan with a mobile device to complete the sign-in.
- Bluetooth is often used to ensure proximity and security during cross-device authentication.
- If using a password manager, the passkey can be accessed and used across multiple devices.
Passkeys vs passwords: What’s the difference?
As organizations and platforms adopt passkeys, it's important to understand how they differ from traditional passwords and why they represent a significant advancement in digital security and user experience.
Here are the key differences between passkeys and passwords:
Creation process
Passwords require users to manually create and remember strong, unique credentials, which can be challenging. Passkeys, however, are automatically generated, meaning users don’t need to worry about creating or remembering anything. Once set up, they can easily log in using their device or password manager.
Phishing resistance
Passwords are vulnerable to phishing because users enter them manually, making them susceptible to fake websites. Passkeys, on the other hand, are phishing-resistant. Since there’s nothing to enter, cybercriminals can’t steal login details through phishing attacks.
Compromise risk
Passwords are easily compromised, especially if users reuse them or choose weak ones. If a password is leaked, it can be used immediately by a cybercriminal. Passkeys, however, are more secure. The private key is never stored on the server; therefore, even if the server is compromised, the public key alone is useless without the private key.
Website support
While passwords are universally supported, passkeys are still being adopted. Major websites like Apple, Google and PayPal now support them, but many sites still rely on passwords. To see which sites support passkeys, check out Keeper’s Passkey Directory.
| Passkey | Password |
|---|---|
| Automatically generated | User generated |
| Phishing resistant | Susceptible to phishing threats |
| Can’t be easily compromised | Easily compromised if they’re weak |
| Supported on a limited number of websites currently | Supported on all websites |
Benefits of using passkeys
Passkeys offer several advantages, providing a more secure and seamless way to authenticate online.
Stronger security
Most people struggle with password hygiene, often choosing short, easy-to-guess passwords, reusing passwords across sites or storing them insecurely. Passkeys solve this problem by being automatically generated and unique for each account.
Additionally, passkeys use public-key cryptography. A private key is securely stored on the user’s device or in a password manager, while the public key is saved by the service. When logging in, the private key proves your identity without being shared. This means even if the server is breached, cybercriminals only get the public key, which is useless without the private key, making passkeys far more secure than traditional credentials.
Built-in Two-Factor Authentication (2FA)
Unlike passwords, which many users fail to secure with 2FA, passkeys are inherently protected by it. To use a passkey, you need both something you have (your authenticator device) and something you are (biometric authentication). This built-in 2FA makes passkeys more secure than traditional passwords, which often lack additional protection.
Phishing resistant
A major benefit of passkeys is their phishing resistance. Since passkeys don’t require users to enter their login information manually, cybercriminals cannot trick them into entering their credentials on a fraudulent website. This means passkeys can’t be stolen through phishing attacks – unlike passwords, which are often targeted.
Drawbacks and limitations
While passkeys offer many advantages, there are still some limitations:
Website support remains incomplete
Despite accelerating adoption, passkeys are still not universally supported. Many smaller or legacy websites and applications still rely on passwords, meaning users often need to manage both systems in parallel. According to the FIDO Alliance, about 48% of the top 100 websites now support passkeys, highlighting strong momentum, but not complete coverage.
Device dependency still exists
Passkeys are typically tied to specific devices or ecosystems. If a user loses access to a device, they may face challenges accessing accounts unless passkeys are synced or transferred. One way to prevent this is to store passkeys in a password manager like Keeper.
Adoption across services is ongoing
While momentum is strong, most people still use passwords as their default login method. Users should expect to maintain a password manager or backup strategy for the foreseeable future, as the shift to a passwordless world is still in progress.
The future of passkeys
While passkeys have the potential to replace passwords, they won’t eliminate the need for password managers. In fact, they may make them more important.
This is because passkeys are tied to an authenticator, which can be either:
- A device, like a smartphone, tablet or laptop
- A password manager that supports passkeys
At first glance, using a smartphone as your primary authenticator seems convenient – after all, most people carry their phones everywhere. But in reality, relying solely on one device can become inconvenient, especially for users who switch between multiple devices.
For example, if you try to log in on a laptop or tablet without your phone nearby, you’ll need to:
- Generate a QR code on the device you're using
- Scan it with your smartphone (the authenticator)
- Confirm your identity using biometrics like Face ID or fingerprint
This added friction highlights the benefits of using a password manager that supports passkey syncing across devices. Keeper, which has supported passkeys for several years, simplifies the login process by tying passkeys to the application rather than relying solely on a physical device. This approach makes accessing accounts across multiple devices much easier and more seamless.
