What you need to know about passkeys, the future of passwords: What they are, how they work, and why they matter

 What you need to know about passkeys, the future of passwords: What they are, how they work, and why they matter

In the modern digital world, keeping online accounts secure has become more complicated than ever. For cybersecurity, it is currently considered best practice to have unique (not used elsewhere) and complex passwords for every site and service, use a password manager, and adopt two-factor authentication (2FA). However, now a new and simple authentication method is coming into use, called 'passkey'. It is designed to make security easier and stronger. It aims to provide a secure login experience by removing the complexity and insecurity of passwords.

What is passkey?

Passkey is a relatively new security feature that allows you to log in to your account by authenticating on your device using your fingerprint or face scan. In some cases, it can also use other screen lock mechanisms such as a PIN or passcode. It can be considered a type of two-factor authentication. Where you go straight to the second step and prove your identity by showing that you have already unlocked a verified device. Using a passkey also eliminates the need to type in a traditional password.

How is it more secure than a password?

A passkey offers several security benefits over a traditional password. A traditional password is a code based on text (numbers, letters, and symbols), which is typed or stored somewhere. This poses a risk that others could access or discover it. But a passkey eliminates this risk.

With a passkey, you can log in to your phone or computer based on the fact that you have already unlocked it. It uses biometric authentication and verification (such as a fingerprint or face scan) or at least a PIN/passcode.

You need to set up a different passkey for each site or service, which eliminates the possibility of reusing authentication details. In addition, a passkey makes phishing attacks almost impossible, because a hacker can't crack your code without physically taking your device and unlocking the lock screen. A passkey streamlines the login steps, eliminating the hassle of going through multiple steps each time you log in.

Two-factor authentication is still a must in traditional sign-in processes. But with a passkey, it's not necessary. Because once the first step (password) is no longer relevant in a passkey, you can move straight to the second step, which is handled by the passkey itself.

How are passkeys stored?

Technically, passkeys are encrypted using 'public key cryptography'. This means that they rely on a pair of public and private keys, with the private key stored secretly on your local device. The site you log into never sees your private key and only receives confirmation of its presence and validity. The key itself resides on your device and remains encrypted until you authenticate. The actual passkey data is never transferred during login, and there is no mechanism to copy or paste it like a password.

For most people, encrypted passkey data is synced to secure accounts such as Google Password Manager (for Android), iCloud Keychain (for iOS), and third-party password managers like OnePassword or Bitwarden. The version of the passkey stored in these services is securely wrapped and not in any raw, readable, or transferable form. The data is decrypted locally only once it is on your verified device, and the login process is complete.

What to do if you change or lose your device?

Passkeys are safe even if you lose your device or get a new one. If a device is lost, its lock screen prevents others from accessing its passkey. It is also recommended to remotely reset the lost device as soon as possible.

In most cases, the underlying data is stored securely in a passkey generation service (such as Google Password Manager or iCloud Keychain). You can access your passkey by signing in to the same service on a new device. Many services also allow you to create and manage multiple passkeys across devices. For example, Google does this through its Google Account website. Most platforms allow you to sign in using your traditional password as a backup if all else fails.

Some users also store their passkeys on a physical security key. This can be a USB or Bluetooth stick. For example, Yubico and Google have made such security keys. These keys are limited to a single device, leaving no other option if lost. Therefore, you need to be extra careful.

Where and how to use passkeys?

Passkey support is not yet widespread. In such cases, to find out whether a platform supports passkeys or not, you have to go to the settings and check or wait for its availability. However, many apps and services such as Apple, Google, Microsoft, Adobe, LinkedIn, Zoho, etc. are adding passkey support. The Passkeys.directory name A list of platforms that offer passkeys can be found on crowdsourced sites.

The process for creating a passkey can vary by service. Typically, if a service supports passkeys, it will automatically prompt you to create one when you log in or provide an option in its security or sign-in settings. Once set up, logging in using a passkey is usually a matter of clicking a button to confirm your identity.