Do you use different versions of the same password for your 300+ social media, app delivery, and shopping accounts? Have you used password managers to generate and store all login credentials? Or have you used the same nightmare combination that your system auto-generated simply because it checks all boxes and has the least chances of getting hacked?
No matter which category you fall into, the way we’ve been using passwords has been broken for a long time. However, that’s finally changing with the advent of passkeys, which are here to replace passwords. Widely considered to be more secure than passwords, these cryptographic codes can’t be guessed, allowing you to log into apps and websites using a PIN, or face recognition, or your fingerprint. When they work seamlessly, they’re a glimpse into what could be a secure future of millions. That being said, would you gladly ditch your old logins immediately?
What Are Passkeys?
To put it simply, the app or website one is using generates two pieces of code when one is creating a passkey. While one is stored by the app/website, the other is saved on the user’s device. When they log in, they prove it’s them via a PIN, fingerprint, facial recognition, or however they’d usually unlock their device, with the two pieces of saved code communicating with each other.
This method of matching a pair of keys is public-key cryptography, which is safer since only the user has access to their private keys. Since this key is bound to a specific device that they own and is usually secured with biometrics, keeping passkeys safe and restoring them is easy as well. Conceptually, passkeys come in many forms, and the best versions don’t even require usernames.
Since passkeys work on the users’ devices, they won’t work on a secondary device without a specific QR code. To do that, the QR code from the users’ devices needs to be scanned and they need to use their biometrics or facial recognition to sign in from another nearby device.
How Are Passkeys And Passwords Different?
Passkeys are a rare step forward in cybersecurity; they’re not only safer than previous methods but also easier to use. Basically, they’re a method to confirm that one is who they say they are without having to remember a long and complicated password. Additionally, this method is resistant to common password attacks such as dictionary and phishing attacks since they’re both fundamentally different.
Let us elaborate. Passwords are “shared secrets,” as they’re called in the world of cybersecurity. The user, and the service they’re signing into, both know the secret. However, the issue is that the user needs to remember that secret, and isn’t entirely in control of it, as they need to share that secret with whatever service they’re signing into. So, there are higher chances of accounts being compromised, even when the users haven’t done anything wrong. There could be data breaches, decryption attacks, phishing schemes – the list of how hackers can potentially steal passwords is endless.
As opposed to that, passkeys are system-generated cryptographic keys and unique by default. While the public key is stored by the app or website, the information alone cannot be used to do anything – the private key is still in play. On the device used to create the passkey, the user needs to engage in a “challenge” to unlock their private key, which is usually some form of biometric authentication.
After the successful completion of the challenge, it’s sent back to the service the user is trying to log into and checked against the public key. Only if it’s a match is the user given access. More importantly, this authentication happens on the user’s device and on a server that’s not far away from the device.
What’s interesting is that while biometric authentication is how users will typically interact with passkeys on their mobile devices, it’s not the end-all. On Android devices, for instance, users can use patterns and PINs, while Windows users will require authenticating with Windows Hello or the Microsoft Authenticator app.
So, What Do I Use Now?
Passkeys don’t have universal support yet, so it might be a good idea to not ditch your 130-character-long passwords and password managers yet. The simple way to approach this is: if an app/ website app allows you to set up a passkey, then you could consider using it. Or, you could look at possibly setting up passkeys on your financial operations online: bank accounts, Stripe, PayPal, etc.
Even if you won’t be setting up any passkeys yet, it’s only a matter of time before you might just have to. Tech companies have already begun making passkeys the default, and an increasing number of organisations are adopting them.
X launched passkeys as a login option on iPads and iPhones, and even WhatsApp is gradually rolling out the feature for its users. Passkeys are the tech industry’s answer to the “Password Problem,” and password-less sign-ins are the future.
In case you missed:
- Why You Should Use Password Managers in 2025
- Crypto Heists: How To Keep Your Cryptocurrency Safe?
- Cryptography in Network Security – Concepts and Practices
- Keeping Your Tech Tidy: Tips For Data Backup And Safety
- Phantom Wallet: The Fastest-Growing Crypto Wallet
- The Good Samaritan: A Complete Guide To Ethical Hacking
- The Era of Oversharing Online: Data Privacy Concerns
- Re-examining Cybersecurity through Blockchain
- Cloud Gaming: A New Era in Gaming
- Can We Really Opt Out of Artificial Intelligence Online?
