Remembering all of the passwords for each of your online accounts may soon be a thing of the past thanks to passkeys.
The best password managers already allow you to securely store and use your existing passwords across different sites and services. However, if you’re using simple passwords for your accounts, reusing passwords across multiple accounts or your passwords were leaked in a data breach, your accounts can still be hacked.
Passkeys aim to make all of your accounts more secure by using passwordless login in place of traditional passwords since each passkey is a unique digital key that can’t be reused. They’re also stored in an encrypted format on your devices instead of on a company’s servers which keeps them safe in the event of a data breach.
If you’re considering making the switch to using passkeys, this is everything you need to know about this new alternative to passwords along with all of the devices and services that currently support them.
The problem with passwords
The first digital password was actually invented in 1961 by MIT computer science professor Fernando Corbato who needed a way for several users to work on the same computer. In the time since, passwords have become an integral part of our digital lives and we now use them everyday.
Passwords can be short or long with the latter being more secure. Besides letters and numbers, you can also add different symbols to your passwords to make them harder to guess. However, as passwords become more complex, people have a more difficult time remembering them which is why both password reuse and using simple passwords like “123456” is such a common practice despite the security risks.
Tom's Guide also spoke with Andrew Shikiar, the executive director and CMO of the FIDO Alliance, about passwords and passkeys. He explained that the main difference between the two is that unlike passkeys, passwords are easily readable by humans which makes them less secure, saying:
"There is a fundamental difference between passwords, which are human-readable “secrets” transmitted over the internet, and passkeys, which are a possession-based authentication method leveraging advanced cryptography.
"Unlike passwords, passkeys do not rely on human-readable shared secrets that are highly susceptible to attack and easy to bypass. Passkeys change the paradigm of how people are typically authenticating online today by replacing the password with an unphishable primary factor for user authentication that is built into virtually every modern computing device today."
Passkeys promise to be much more secure without requiring the user to remember anything.
What are passkeys?
Passkeys are a new type of login credential that allow you to log in to sites and services without having to enter a password. There’s nothing to remember and you can use them with the devices you already own like your smartphone or laptop. Passkeys are built on the WebAuthentication or WebAuthn standard which uses public-key cryptography to better secure your accounts.
Besides data breaches, passkeys also can’t be stolen in phishing attacks. Cybercriminals and hackers often use phishing or social engineering as a way to gain access to someone’s username and password in order to steal their accounts. With passkeys, though, you have a private and public key and while the public key stays on a company’s servers, the private key remains on your device and can’t be easily stolen.
Creating and using passkeys
If you head to a website that supports passkeys like the ones listed below, you’ll be able to create a new account and use a passkey to secure it instead of password.
During this process, the site will ask you to confirm your authenticator which can be your smartphone, another mobile device or a password manager that supports passkeys. However, the authenticator still requires that you use another form of verification to access your password. While this could be a master password like with password manager, it can also be biometrics. By using your face or fingerprint, you’re not only making the process more secure but you also don’t have to remember a password for your authenticator.
Remember those private and public keys we mentioned earlier? They’re generated by your authenticator and are mathematically related. The public key is stored on a company’s website for when you want to login while the private key remains secret and is only stored on your device.
When it comes time to login, the site’s server will send a challenge to the authenticator which your private key will solve and send a response back to the server. While the server is able to verify that public and private keys match, it actually doesn’t need to know the contents of your private key to verify it.
Once this is complete, you’ll be able to access the account you set up using a passkey instead of a password. This process also happens quite quickly and may even be faster than entering a traditional password depending on how long it is.
Although you’ll likely store your passkeys on your smartphone, you can also use them to log in to sites and services on your computer. In this case, the site will generate a QR code that you scan with your smartphone and then you can login using a passkey. However, your computer needs to have Bluetooth to establish a secure connection between it and your phone.
What devices are compatible with passkeys?
Even though passkeys are still relatively new, they’re already compatible with all of the best phones and many of the best computers. This is because Microsoft, Google, Apple and other tech giants worked to develop them together using FIDO Alliance and W3C standards.
With the release of iOS 16 last fall, Apple brought passkeys to the iPhone. On its devices, passkeys use TouchID and FaceID for authentication instead of a master password which makes things even easier. If you want to try them out for yourself, here’s how to set up passkeys on iPhone, iPad and Mac.
If you’re using one of the best Android phones or even an Android tablet, your passkeys are stored and synced using the Google Password Manager. However, if you want to use passkeys with it, you need to set up screen lock on your Android device first as this prevents others with access to your smartphone from using your passkeys.
For those using a Windows PC, you can use Microsoft’s Windows Hello to sign into your accounts using passkeys on both Windows 10 and Windows 11. Since your passkeys are synced with your Microsoft account, you can even use them on other devices as long as you’re logged in.
As for your web browser, Chrome, Edge, Safari and Firefox all currently support passkeys. You need to be running version 79 or higher for Chrome/Edge, version 13 or higher for Safari and version 60 or higher for Firefox.
What happens when you upgrade to a new smartphone?
Since you store passkeys on your smartphone instead of remembering them, you may be wondering what happens when you upgrade to a new smartphone. No need to worry as they can easily be transferred over to a new device.
On Android, when you set up a new smartphone, your end-to-end encryption keys are securely transferred when you move the rest of your apps and data to it. However, in some cases such as when an older device is lost or damaged, you may need to recover them from a secure online backup. To do this, you need to provide the lock screen PIN, password or pattern from the previous device that has access to those keys.
Since your passkeys are stored in your iCloud Keychain, upgrading to one of the best iPhones won’t be a problem either. Just log in using your Apple ID on the new device and respond to an SMS sent to a trusted phone number. From here, you need to enter the device passcode but iOS, iPadOS and macOS only give you 10 attempts to authenticate according to this support document from Apple.
What sites currently allow you to use passkeys?
Besides setting up passkeys on your smartphone or computer, you also need to find sites and services that support them in order to use them. Fortunately, a number of big brands including eBay, PayPal, Best Buy, Nvidia and more already do.
If you’re looking for other sites and services that support passkeys, 1Password has put together a passkeys directory that users can contribute to. It’s also searchable which makes it easy to find out whether or not a company offers passkey support.
Expect other brands to announce that they now support passkeys as this alternative to passwords becomes more mainstream.
Will passkeys replace passwords entirely?
Passwords have been around for a long time and people are familiar and comfortable with using them. Still, weak or reused passwords can put both people and the companies they work for at risk, which is why there has been such strong support for passkeys.
As with any other change, the transition from passwords to passkeys will likely take time. However, with Microsoft, Google and Apple pushing this new technology so strongly, it wouldn’t be surprising if passwords completely disappeared over the course of the next few years.
However, as Shikiar notes "passkey support is built into virtually every modern computing device today and is being endorsed industry wide by major players". He also believes "that within the next 3-5 years the vast majority of consumer internet services will have passkey sign-in options – greatly reducing reliance on passwords".
In the meantime though, you can start using passkeys for your online accounts today to make them more secure to get one step ahead of hackers.