Passwords are a mess, and they always have been. I use a password manager, and it makes the whole having to remember 1,400 logins much easier, but even then, it could be easier.
Well, the good news is that it can be much easier, with one simple answer: passkeys.
While passkeys sound like a rebranding exercise, they’re actually the future of password security, and it’s high time you started making the switch.
I use the same login protection Google trusts for its own staff
I stopped using passwords and switched to the same physical login protection Google uses internally for daily accounts.
So what actually is a passkey?
It’s not another password, thankfully
A passkey is a pair of cryptographic keys. One key is stored on the site or app’s server, and one key is stored on your device. When the login box appears for a given site or service, instead of using your password, you use this cryptographic key pairing instead.
Now, that sounds confusing, right? But your passkey typically uses something much easier to remember, like a PIN, or something that’s basically impossible to lose, like your fingerprint or Face ID.
In that, a passkey functions similarly to a password; it unlocks your account.
The bit that trips people is “cryptographic keys.” But in practice, you don’t really need to know the ins and outs of how encryption works to use passkeys. That’s actually what makes them great. They’re super secure, hard to lose, and most importantly, they’re all stored locally.
But, in short, the two cryptographic keys are intrinsically linked, and one won’t work without the other. Your version of the key won’t respond if the specific page, app, or service isn’t right, which makes them an excellent defense against a whole host of attacks — more on this in a moment.
Compared to passwords, passkeys are the dream. When you log in with a password, it leaves your device, travels across the internet, and gets compared against a database. It all adds up to every step of that journey acting as a point of failure, and passkeys collapse that journey to nothing.
Phishing becomes almost non-existent with passkeys
This is one of the best reasons to switch
During the early 2020s, phishing attacks went wild, and they haven’t really stopped. Attacks tricking you into sharing your password in a fake login page are one of the most common ways accounts are compromised, and it works because passwords are designed to be shared.
Passkeys cut that threat out because it relies specifically on those interlinked cryptographic keys. Phishing pages rely on tricking you with some digital sleight of hand, like a fake invoice from a service you use, or a website URL that looks almost exactly the same but has one letter switched out.
With a password, you could easily still fall for those fake pages because the prompt and onus is on you to provide your details to prove that you’re the account owner. But with passkeys, the cryptographic key won’t work at all because a fake site or login simply doesn’t have the other half of your keys.
Okay, but what if I lose my phone?
Or my finger falls off?
When I talk about passkeys with friends and family, the “What if I lose my [device]” question always comes up. It’s a good question to be fair, but it has some good answers that should ease your mind towards welcoming passkeys into your heart.
First up, passkeys have failsafes baked in. Most services still let you set up a recovery email or similar, and many enable syncing between devices. For example, if you use passkeys with iCloud Keychain or Google Password Manager, your passkeys are accessible from your other synced devices. But they’re still secure because of the biometric or local data element.
Some accounts also come with specific recovery keys or account recovery codes. Again, it’ll depend on the account, but account recovery works very similarly to any other account. Losing your phone with passkeys isn’t really a problem at all, unless you need them there in that exact moment. And losing your phone sucks, too.
You can use passkeys in so many places now
There are way more places than you think
Most major websites, apps, and services now use passkeys. The best way to check is to open your account, head to Settings, and see what account security options are available. In many cases, you’ll actually receive a prompt asking if you want to switch over; I’ve found this on Google, Amazon, my banking apps, and plenty more.
You could also check out the big Passkeys list. It’s not completely comprehensive due to the nature of the technology and what it’s attempting to cover, but it’s a great way to figure out if your favorite site or service is using passkeys to secure your account.
Password managers like Bitwarden and Proton Pass also support passkeys, stored alongside your regular passwords and logins. Android devices have supported passkeys natively for a long time now, and iPhones are the same with Keychain.
- OS
-
Windows, Mac, Android, iOS
- Price model
-
Free, Premium available
Passwords aren’t going away
Passwords aren’t going away overnight. A lot of sites still don’t support passkeys, and some never will. But for the accounts that matter — email, banking, anywhere you’d feel sick if someone got in — it’s worth setting up a passkey wherever the option exists.
Remember, security isn’t about always being absolutely perfect. That’s impossible. But making your accounts as difficult to crack is important, and it often means the difference between someone draining your account or moving on to the next one.