We tell you what passkeys are, how you can get them, and where you can use them to log in securely without exposing your email address or creating a password.
I’m sick of passwords. They’re somehow both easily guessable and hard to remember, and keeping them out of the hands of criminals is tough. To solve that problem, the Fast Identity Online (FIDO) Alliance developed passkeys, a form of passwordless authentication technology. Passkeys eliminate the need to enter your email address or password into login fields all around the web, making it harder for criminals to steal your credentials and get into your accounts.
Passkeys have plenty of benefits; for example, they cannot be guessed or shared. Passkeys are resistant to phishing attempts because they’re unique to the sites they’re created for, so they won’t work on fraudulent lookalike sites. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company’s server or database, making the data extracted in such breaches less valuable to criminals. Best of all, this new technology isn’t just theoretical. We are encouraged to see big tech companies like Amazon adopting passkeys. But what exactly are they? We’re here to explain.
What Is a Passkey?
A passkey is a way to log in to apps and websites without using a username and password combination. It’s a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account.
Apps or websites store your unique public key. Your private key is only stored on your device, and after your device authenticates your identity, the two keys combine to grant you access to your account. We tell you how to put this into practice in our guide for setting up and using passkeys.
Usually, the device or software generating the passkeys uses a biometric authentication tool, such as FaceID or TouchID, to authenticate your identity. If a password manager is the passkey source, you can log in to the app using a strong master password instead of biometric authentication. Passkeys are unique to each app or website and stored in a password manager’s vault or your device’s keychain. Passkeys can sync across devices, making them a convenient choice.
Why Do You Need Passkeys?
The widespread adoption of passwordless authentication like passkeys couldn’t come at a more critical time. Researchers at Digital Shadows reported that, as of 2022, more than 24 billion login credentials had been exposed by data breaches. That number is up 65% since 2020, and researchers believe malware attacks, social engineering scams, and password sharing are to blame for the increase.
The report concludes that widespread passkey adoption by both users and website owners is necessary to keep criminals from taking over accounts using stolen username and password combinations. Account takeovers and identity theft incidents resulting from data breaches can be mitigated by enabling multi-factor authentication for your online accounts and using a password manager to create and store new credentials or passkeys for each login page you encounter online.
Where Can You Use Passkeys?
You can use passkeys to log into many websites, including Best Buy, eBay, Google, Kayak, and PayPal. Password management company 1Password maintains a community site where users can report websites that accept logins using passkeys. Currently, some of the sites on that list, such as Adobe.com, still require a traditional username and password for initial account creation and logins, but you can set up a passkey to use for future logins by visiting the Settings menu.
Swift passkey adoption by major apps and websites is encouraging, but it may take time for passkey adoption for websites owned by individuals or small companies. Some sites don’t even support multi-factor authentication yet, so we may have to wait a while for the newest FIDO security standards to completely eradicate passwords.
Many of the password managers I’ve reviewed for PCMag, such as 1Password and Dashlane, can store and create passkeys for you. If you already have a password manager subscription, keep it up! A password manager makes it easy to store and use both your old credentials and new passkeys when you log in. If you don’t use a password manager, it’s not too late to try being more secure with your personal data. Android and iOS users can store their passkeys locally and access them using the keychain app on their mobile devices.
So for now, use passkeys where you can, and ensure you have multi-factor authentication enabled on any accounts supporting it. You should also keep using a password manager to create and store your credentials until you don’t need them anymore.