The end of passwords: What are passkeys and how do they work?

A computer keyboard ready to accept a password (Dries Augustyns / Unsplash)
A computer keyboard ready to accept a password (Dries Augustyns / Unsplash)

Nearly everybody agrees that the way we use websites and services is broken.

The username-and-password combo universally used is both annoying for users and not great from a security perspective. Amid data breaches, that most people repeat the same, easily guessable passwords between websites and given the ease of constructing fake sites to steal logins, the internet is crying out for a better solution.

Well, one might finally be here: passkeys. These do away with passwords completely, allowing your phone to vouch for your identity.

How do passkeys work, and what are the drawbacks? Read on to find out.

What is a passkey?

Passkeys are a way to log in to a website or service without a password to prove who you are. All you need is a device to vouch for your identity — most likely your smartphone*.

That sounds like a security nightmare, but it should prove a lot safer than the somewhat flawed password system we’ve used for the first few decades of the internet.

“A simple, yet secure sign-in procedure is exactly what people need,” Jake Moore, Global Security Advisor at ESET, a software company specialising in cybersecurity, tells The Standard. “Passkeys offer a simple, fast and secure sign-in solution. [They offer] a very positive impact on account security.”

For the user, the idea is to log in to a website the same way you open up your phone — with a PIN, a fingerprint or a face scan. When you register for a site or service, your login is linked to a single device and you just sign in via that: with no password to remember.

Behind the scenes, it’s a whole lot more technical, involving something called asymmetric cryptography. A public key is stored on the website you want to use, while an encrypted private key is attached to your device. When you try to log in, the site will grant you access only if the two match.

If you’re not working on the phone you registered with — if you want to log in to a site on your Windows laptop, say — then you’ll need to connect it to your phone via Bluetooth. Alternatively, you will have to prove it’s in range with the scan of a QR code. It’s a bit like two-factor authentication, without the password.

“Before now, systems were either highly secure and not user friendly, or easy to use yet very hackable,” explains Moore. “Tying these two together has long been a problem and therefore online accounts have remained targeted.”

Passkeys are the first serious answer to be in the sweet spot between easy and secure.

* You could use a laptop or tablet as your authentication device. However, given most people will choose their smartphone, we’re going to shorthand to the word “phone” for the rest of this piece.

What’s wrong with using a password?

In theory, very little. In practice, nearly everything.

We all know that we’re supposed to make our passwords long and strong — ideally with a random selection of characters, numbers and symbols to make them impossible to guess. And each site needs its own password too, so that if/when there’s a breach, hackers can’t get access to all your other sites.

But we’re human, and these rules are really tough to follow. Who has the brain capacity to remember dozens of unique, nonsensical passwords for different sites? Password managers are great, and strongly recommended. But making the switch to one can take hours, and plenty of us just take our chances.

Passkeys are essentially an attempt to wean us out of bad password practices with minimal effort.

Why is a passkey better?

For a start, you don’t have to remember that unique string of characters, numbers and letters for each website and service. Your phone will do that for you, assuming you have it on you.

It should all be pretty seamless: just confirm it’s you via a fingerprint, PIN or Face ID, and everything should happen in the background. This is much simpler than remembering whether the ‘$’ came before or after the ‘&’ in your 12-character password.

Secondly, because your device has to be in close proximity to you to log in, it means that a hacker from halfway around the world can’t chance their arm with your account.

There are other safety positives, too. Data breaches should be an annoyance rather than potentially devastating (though companies will still need to secure payment and ID data). And it should also break imitation phishing websites, too — because your device will recognise that the website isn’t the real deal and refuse to authenticate you.

Currently, “threat actors are able to manipulate people with clever tricks, often through messaging and authentic sounding phone calls,” Moore explains.

“With increased adoption to passkeys on websites and more support in helping people switch to them, however, the majority of users could soon find themselves signing with more ease and security without realising.”

What are passkeys’ weaknesses?

There are a few, but they don’t tend to be about security, per se.

The first one is that you need your phone on you. If it’s broken, out of battery or left at home, then you’re out of luck — or in for a painful transfer between devices (more on that in a moment).

The second is that sharing logins becomes a lot trickier — something Netflix would be quite pleased about, but inconvenient for many. It’s likely this is a problem that will be solved in the long run — indeed, iPhone users can share their passkeys with other iPhone users via AirDrop already. However, it’s a lot more fiddly than just telling someone your password, which again is good from a security perspective.

What if I lose or change my phone?

For most people, losing your phone should be only a temporary annoyance. Passkeys are synced across iCloud Keychain for Apple devices, and via Google Password Manager for Android and ChromeOS, so restoring your passkeys should be simple once you’re up and running again. However, of course, you may have a painful few days where you can’t access things if you have only an iPhone and no Mac, for instance.

The difficulty comes if you decide you’ve had enough of an iPhone and want to try Android (or vice versa). At the moment, there’s no way to transfer passkeys between ecosystems. However, this is something that’s being actively worked upon, and will likely be in place long before passkeys are widely in use.

Which sites support passkeys?

At the moment… not very many. The password manager tool 1Password keeps a running tally and, at the time of writing, there are just 28 including Microsoft, PayPal, Ebay and Virgin Media.

But with Microsoft, Google and Apple supporting passkeys, you can expect that to change quite quickly, with some experts predicting 2023 as the year where we see a move away from passwords.

“This adoption is likely to increase now the big names in tech have taken on the technology and we should soon see a tipping point,” Moore says.

But that move won’t be completed for some time. “I don’t think we will see the end of the password for a very long time, possibly generations yet,” Moore says. “There is still a need for the trusty password as some systems will need to be built from the design phase up to integrate such secure technology.”

In the meantime, make sure your passwords are as secure as possible. “People need to make sure their passwords are all unique and multi-factor authentication is enabled on all accounts,” Moore says.

But maybe we can look forward to a day when this oft-repeated advice is a thing of the past.