What are passkeys? Everything you need to know about the death of passwords

An iPhone showing passkeys
(Image credit: Shutterstock)

Remembering all of the passwords for each of your online accounts may soon be a thing of the past thanks to passkeys.

The best password managers already allow you to securely store and use your existing passwords across different sites and services. However, if you’re using simple passwords for your accounts, reusing passwords across multiple accounts or your passwords were leaked in a data breach, your accounts can still be hacked.

Passkeys aim to make all of your accounts more secure by using passwordless login in place of traditional passwords since each passkey is a unique digital key that can’t be reused. They’re also stored in an encrypted format on your devices instead of on a company’s servers which keeps them safe in the event of a data breach.

If you’re considering making the switch to using passkeys, this is everything you need to know about this new alternative to passwords along with all of the devices and services that currently support them.

The problem with passwords

Fish hook on a keyboard

(Image credit: Shutterstock)

The first digital password was actually invented in 1961 by MIT computer science professor Fernando Corbato who needed a way for several users to work on the same computer. In the time since, passwords have become an integral part of our digital lives and we now use them everyday.

Passwords can be short or long with the latter being more secure. Besides letters and numbers, you can also add different symbols to your passwords to make them harder to guess. However, as passwords become more complex, people have a more difficult time remembering them which is why both password reuse and using simple passwords like “123456” is such a common practice despite the security risks.

Tom's Guide also spoke with Andrew Shikiar, the executive director and CMO of the FIDO Alliance, about passwords and passkeys. He explained that the main difference between the two is that unlike passkeys, passwords are easily readable by humans which makes them less secure, saying:

"There is a fundamental difference between passwords, which are human-readable “secrets” transmitted over the internet, and passkeys, which are a possession-based authentication method leveraging advanced cryptography.

"Unlike passwords, passkeys do not rely on human-readable shared secrets that are highly susceptible to attack and easy to bypass. Passkeys change the paradigm of how people are typically authenticating online today by replacing the password with an unphishable primary factor for user authentication that is built into virtually every modern computing device today."

Passkeys promise to be much more secure without requiring the user to remember anything. 

What are passkeys?

Passkeys are a new type of login credential that allow you to log in to sites and services without having to enter a password. There’s nothing to remember and you can use them with the devices you already own like your smartphone or laptop. Passkeys are built on the WebAuthentication or WebAuthn standard which uses public-key cryptography to better secure your accounts. 

Besides data breaches, passkeys also can’t be stolen in phishing attacks. Cybercriminals and hackers often use phishing or social engineering as a way to gain access to someone’s username and password in order to steal their accounts. With passkeys, though, you have a private and public key and while the public key stays on a company’s servers, the private key remains on your device and can’t be easily stolen.

Creating and using passkeys

iOS 16 passkeys

(Image credit: Tom's Guide)

If you head to a website that supports passkeys like the ones listed below, you’ll be able to create a new account and use a passkey to secure it instead of password.

During this process, the site will ask you to confirm your authenticator which can be your smartphone, another mobile device or a password manager that supports passkeys. However, the authenticator still requires that you use another form of verification to access your password. While this could be a master password like with password manager, it can also be biometrics. By using your face or fingerprint, you’re not only making the process more secure but you also don’t have to remember a password for your authenticator.

Remember those private and public keys we mentioned earlier? They’re generated by your authenticator and are mathematically related. The public key is stored on a company’s website for when you want to login while the private key remains secret and is only stored on your device. 

When it comes time to login, the site’s server will send a challenge to the authenticator which your private key will solve and send a response back to the server. While the server is able to verify that public and private keys match, it actually doesn’t need to know the contents of your private key to verify it.

Once this is complete, you’ll be able to access the account you set up using a passkey instead of a password. This process also happens quite quickly and may even be faster than entering a traditional password depending on how long it is.

Although you’ll likely store your passkeys on your smartphone, you can also use them to log in to sites and services on your computer. In this case, the site will generate a QR code that you scan with your smartphone and then you can login using a passkey. However, your computer needs to have Bluetooth to establish a secure connection between it and your phone. 

What devices are compatible with passkeys?

A phone and tablet sharing passwords using Google Password Manager

(Image credit: Google)

Even though passkeys are still relatively new, they’re already compatible with all of the best phones and many of the best computers. This is because Microsoft, Google, Apple and other tech giants worked to develop them together using FIDO Alliance and W3C standards.

With the release of iOS 16 last fall, Apple brought passkeys to the iPhone. On its devices, passkeys use TouchID and FaceID for authentication instead of a master password which makes things even easier. If you want to try them out for yourself, here’s how to set up passkeys on iPhone, iPad and Mac.

If you’re using one of the best Android phones or even an Android tablet, your passkeys are stored and synced using the Google Password Manager. However, if you want to use passkeys with it, you need to set up screen lock on your Android device first as this prevents others with access to your smartphone from using your passkeys.

For those using a Windows PC, you can use Microsoft’s Windows Hello to sign into your accounts using passkeys on both Windows 10 and Windows 11. Since your passkeys are synced with your Microsoft account, you can even use them on other devices as long as you’re logged in.

As for your web browser, Chrome, Edge, Safari and Firefox all currently support passkeys. You need to be running version 79 or higher for Chrome/Edge, version 13 or higher for Safari and version 60 or higher for Firefox.

What happens when you upgrade to a new smartphone?

A screenshot showing how passkeys are stored in your iCloud Keychain

(Image credit: Apple)

Since you store passkeys on your smartphone instead of remembering them, you may be wondering what happens when you upgrade to a new smartphone. No need to worry as they can easily be transferred over to a new device.

On Android, when you set up a new smartphone, your end-to-end encryption keys are securely transferred when you move the rest of your apps and data to it. However, in some cases such as when an older device is lost or damaged, you may need to recover them from a secure online backup. To do this, you need to provide the lock screen PIN, password or pattern from the previous device that has access to those keys.

Since your passkeys are stored in your iCloud Keychain, upgrading to one of the best iPhones won’t be a problem either. Just log in using your Apple ID on the new device and respond to an SMS sent to a trusted phone number. From here, you need to enter the device passcode but iOS, iPadOS and macOS only give you 10 attempts to authenticate according to this support document from Apple.

What sites currently allow you to use passkeys?

Besides setting up passkeys on your smartphone or computer, you also need to find sites and services that support them in order to use them. Fortunately, a number of big brands including eBay, PayPal, Best Buy, Nvidia and more already do. 

If you’re looking for other sites and services that support passkeys, 1Password has put together a passkeys directory that users can contribute to. It’s also searchable which makes it easy to find out whether or not a company offers passkey support.

Expect other brands to announce that they now support passkeys as this alternative to passwords becomes more mainstream. 

Will passkeys replace passwords entirely?

Passwords written down in a notebook

(Image credit: Shutterstock)

Passwords have been around for a long time and people are familiar and comfortable with using them. Still, weak or reused passwords can put both people and the companies they work for at risk, which is why there has been such strong support for passkeys.

As with any other change, the transition from passwords to passkeys will likely take time. However, with Microsoft, Google and Apple pushing this new technology so strongly, it wouldn’t be surprising if passwords completely disappeared over the course of the next few years. 

However, as Shikiar notes "passkey support is built into virtually every modern computing device today and is being endorsed industry wide by major players". He also believes "that within the next 3-5 years the vast majority of consumer internet services will have passkey sign-in options – greatly reducing reliance on passwords".

In the meantime though, you can start using passkeys for your online accounts today to make them more secure to get one step ahead of hackers.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • smontanaro
    I have a question about applying the information in this article. It seems there are three different walled gardens implementing passkeys (so far): Apple, Android, and Windows. I'm a Mac user but use an Android phone. What barriers will I encounter trying to use passkeys across these two environments?
    Reply
  • PrivacyGuy
    Seems to me that websites using passkeys stand to gain valuable information about your mobile (and other linked) devices
    I appreciate the need for secure access controls but I don't want big tech like Facebook, Google and Microsoft to know all the devices i use.
    Aren't there any privacy issues here?!
    Reply
  • DrEd49
    admin said:
    Passkeys are a new alternative to passwords that are much more secure. Here’s everything you need to know about passkeys and how to use them on your devices.

    What are passkeys? Everything you need to know about the death of passwords : Read more
    How would two people be able to log into the same website using passkeys? Right now both can use the same username and password to access the site. I am thinking my wife and I can log into our bank account using the same username and password because we both have and use the same master password to access our password manager. How would this work efficiently with passkeys? Thanks.
    Reply
  • EVEricTwenty2
    If my phone gets broken, stolen, or lost how can I access my accounts? Am I going to have to wait day's or weeks to get access? Apple can infamasouly take a week or more to fix a phone. If I use google pay or apple or something like that how will I be able to pay for a new phone or phone repair if I have to have the phone working to pay? Will companies even be willing to work on or fix a phone if I can't prove I'm me? If I need a passkey to access my bank I wouldn't be able to pay for anything, nor would I be able to prove i'm me to stop someone who has my phone from stealing everything and locking me out of every email/media/finical account I have. Is there anyway to bypass passkeys to keep access if the authenticator is lost or stolen? Is there any way to instantly invalidate an authenticator and stop its use if lost/stolen? If someone is able to clone a phone or hack the system, do they now have access to every account I have? Courts have held you can't be forced to give up passwords, but you can be forced to unlock devices using fingerprints for facial recognition. Where do passkeys fall? If a court forces you to unlock your phone could some unscrupulous person in the court system delete you entire digital identity? What if your phone/account gets seized/locked for the length of an investigation (weeks months years), you couldn't authenticate to anthying, you wouldn't be able to have access ot your finances, pay rent, you couldn't even pay bail or hire a laywer if locked out. This seems very very dangerous. Putting all eggs in one basket so to speak. There seems to be far too many ways this can go horribly wrong if there are not easily accessible ways around it, but if there are it completely defeats the purpose of passkeys.
    Reply