I’m sick of passwords. They’re either easily guessable or hard to remember, and keeping them out of the hands of criminals is tough. To solve that problem, the Fast Identity Online (FIDO) Alliance developed passkeys, a different authentication technology. Passkeys eliminate the need to enter your email address or password into login fields around the web, and they’re gaining popularity. For example, Microsoft is deleting passwords from its authenticator app in August, but leaving its passkey support in.
Passkeys have plenty of benefits; for example, they cannot be guessed or shared. Also, passkeys resist some phishing attempts because they’re unique to the sites they’re created for, so they won’t work on fraudulent lookalikes. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company’s server or database, making the stolen data far less valuable to criminals.
You can use passkeys on various apps and websites now, but what are they? Should you use them? Are they really more secure than traditional login credentials? Let’s talk about it.
What Is a Passkey?
When a public key and a private key combine, they create a passkey that can unlock your account. Here’s how it works: Apps or websites store your unique public key. Your private key is stored on your device, in your password manager, or, if you’re an Apple user, in your iCloud keychain. After your device (or iCloud) authenticates your identity, the two keys combine to grant you access to your account.
To learn how to set up passkeys for your online accounts, check out our guide to setting up and using passkeys.
Are Passkeys Really More Secure Than Passwords?
Allowing users to login using a passkey isn’t the only update website owners need to ensure website security. To find out more about the risks, I spoke with Trevor Hilligoss, security researcher and vice president of SpyCloud Labs at SpyCloud. Hilligoss tells me that widespread passkey adoption is “fantastic,” but website owners must also fix other security holes. He noted that criminals can easily get around a passkey by stealing users’ validated browser cookies using malware.
“You can use a passkey, you can use a password manager, you can use ‘yourdog’sname2023,’ whatever. It doesn’t really matter because authentication has already happened by using that cookie,” Hilligoss says. “Criminals are emulating an already authenticated session. So from the perspective of the website, it just sees that it’s a valid cookie.”
Hilligoss says that once a website, like your email service, validates the cookie, the criminal doesn’t need to log in using your credentials or authenticate their identity. The validated cookie, which lasts on a person’s browser until it expires over a period of seconds or years, allows criminals to enter your accounts undetected and steal your data or money.
The onus is on website owners to find a solution for cookie hijacking. Hilligoss tells me that the rest of us can protect ourselves from the cookie hijacking threat by using passkeys or strong and unique passwords wherever we can. He adds that some websites allow users to choose when their session tokens expire.
You know the data privacy pop-up screens? Don’t immediately tap “Accept.” Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way, your cookies will expire automatically or whenever you close your browser window.
Common Passkey Complaints
Passkeys are newer than passwords, so naturally, there have been some growing pains during the widespread adoption phase. Below, I’ll highlight some of the issues I’ve had when using passkeys and some complaints I’ve seen about passkeys around the web.
- Passkey terminology can be confusing. Because the technologies became popular around the same time, many people seem to believe that 2FA options like biometric authentication, authenticator apps, and hardware security keys are the same as passkeys.
Passkeys perform multifactor authentication. You should be able to log into a website using only the passkey; there is no need for a password and username. Depending on your privacy and security settings, the iCloud account, device, or password manager where you’ve stored a passkey may require you to unlock it by using your face, fingerprint, or passcode. - Passkeys may not be accessible on all computers or devices. What if you lose your phone? What if you need to log into an account on a public computer? I’ve been locked out of a TikTok account for a year due to a missing passkey. If you don’t have access to a device that’s connected to your iCloud account, or if you can’t get into the password manager you use to store passkeys, you won’t be able to log in without a lot of hassle.
How Can I Keep Track of My Passkeys?
Speaking of password managers, many of the services I’ve reviewed for PCMag, such as Editors’ Choice award winners NordPass and Proton Pass, can store and generate passkeys for you. Android and iOS users can store passkeys using the built-in Apple Passwords app or Google Password Manager.
icrosoft is doing its part to eliminate passwords by encouraging its customers to use passkeys and making all new accounts password-less by default. The company even removed the password management functions from Microsoft Authenticator, but preserved the passkey storage options.