What Are Passkeys— And Why Should I Use Them?

Passwords vs. passkeys– is it time you made the switch?

Passwords are the most common method of authentication, but they are also one of the weakest. Often easy to guess or steal, many people use the same password across several accounts. This unfortunate habit leaves a user extremely vulnerable to more serious cyberattacks. 

To keep all of your accounts secure via password, you should ideally use a password manager, issue unique passwords for each account, and ensure that each password is long and complex.  In addition, you should also make sure that all your accounts include two-factor authentication (2FA). That said, the data suggests this is an outlandish request of the average human user. 

52% of all users reuse their passwords across multiple accounts. 61% of all data breaches involve stolen or hacked login credentials. 

Thankfully, in recent years a better solution has emerged—passkeys. Similar word, wildly different security results. Passkeys are more secure than passwords and provide a more convenient way to log into your accounts. 

Passkeys have been around for a while, and their influence has slowly strengthened. Through the work of the FIDO Alliance, passkeys have gained support from major players including Apple, Amazon, Google, Mastercard, Microsoft, Visa, and USBank. Making waves across the industry, on May 3, 2023, Google announced that it would its users to completely opt out of passwords in favor of passkeys. 

Let’s take a look at this technology and what it means for your business. 

What is Passkey Authentication?

Unlike passwords that are reused every time you sign in, passkeys utilize a unique code for each login attempt. The passkey itself is a code created from a combination of information about the user and the device they are using to log in. To actually sign in, this code is sent to and validated by the target server. 

Practically this passkey is often a combination of a biometric parameter (like your fingerprint or face) and the device you are using (often your phone). This process works very much like 2FA, except that it removes the password entirely and goes straight to individual validation. Each time you sign in to your account, from your perspective you will simply use a biometric to sign in—just like many of us do with our phones. 

This authentication technology leverages Web Authentication (WebAuthn). A core component of FIDO2, this authentication protocol uses public-key cryptography (a special type of encryption) for user verification instead of a unique password. 

Advantages of Using Passkeys Instead of Passwords

1. More Secure 

Passkeys are more secure than password and more difficult to hack—especially when the key is a combination of biometric and device data. Since hackers would need both your fingerprint and device’s MAC address or location to penetrate your accounts, a hack is very unlikely. 

2. More Convenient 

Passkeys are far more convenient than passwords. No more attempting to remember if it had a question mark or a dollar sign at the end! No more trying to hide lists of secret passwords! No more clicking “Forgot your email?” 

Forgotten passwords are common and a reset slows an employee down. Each time a person has to reset their password, it takes them an average of three minutes and 46 seconds. Passkeys erase this problem by providing a single code, which you can use across all your accounts. 

3. Phishing-Resistant

Credential phishing scams are prevalent and effective. Scammers send emails that (falsely) tell a user that something is wrong with their account. The reset link that takes them to a disguised login page created to steal their username and password. 

When a user is authenticating with a passkey instead, this trick will not work on them. Even if a hacker had a user’s password, it would not matter. They would need the device passkey authentication to breach the account. 

Are There Any Disadvantages to Using Passkeys?

Passkeys look like the future of authentication technology. However, there are some issues that you may run into when adopting them right now. 

Passkeys Aren’t Yet Widely Adopted 

In general, passkeys still are not yet widely adopted, though the news from Google may change all of that quickly. Many websites and cloud services still rely on passwords since they do not have passkey capability yet. 

In the meantime, users may have to continue using passwords for some accounts, at least until passkeys become more widely adopted. Until then, it just might be slightly awkward to maintain a mixture of some password-protected and some passkey-protected accounts. 

Passkey Account Providers Need Extra Hardware & Software 

The nice thing about passwords is that they are free and easy to use. You simply make them up as you sign up for a site. 

Passkeys need some extra hardware and software to generate and validate the codes, which can be costly for businesses to put implement initially. However, the potential savings from improved security and user experience will likely outweigh the cost of passkeys. 

Prepare Now for the Future of Authentication

Now is a great time to reflect about how you are going to keep your accounts secure in this wild west moment of tech history. If you’re not sure what steps to take, just remember that technologies like 2FA—and now passkeys—are a simple, and extremely effective first step to take. Our list above is a tiny sample of the businesses that are likely to adopt passkeys soon. Over the coming months, you will likely see many high-profile organizations roll out passkey options. Just take a look at the members of the FIDO Alliance to grasp how significant this shift will be.