What is a passkey?

Most people have to remember a string of different passwords to log into various devices and accounts, whether for their phone and laptop or email and social media accounts. It becomes too easy to become lazy about password hygiene, but that is when users become most susceptible to cyberattacks. As technology and artificial intelligence (AI) develop, it has become incredibly easy for hackers to steal passwords through data breaches, phishing, and other attacks.

As a result, passwords have fallen out of favor in recent years. The trend is set to grow as myriad forms of passwordless authentication are adopted more widely, both by users and organizations. So, what exactly is passwordless security, how does it work, and what are the various passwordless authentication examples? Read on to learn more.

For most people, passwords are a necessary inconvenience. To ensure their security, passwords must be long and complex (the best are phrases that incorporate numbers, letters, and special symbols), unique to each account, and be changed frequently. Unfortunately, this isn’t always the case. As such, password security is a major concern. They are particularly susceptible to cyberattacks because hackers can easily crack or steal passwords through phishing, dictionary attacks, and more.

Due to this, more users and services are using passkeys for more convenience and security. In fact, Google announced in October 2023 that passkeys would become the default login method across its services and for all users. Other companies like Intuit and Nintendo are also following suit.

What is a passkey?

Passkeys are essentially a form of passwordless authentication. After setting up an account for a website or app, users can create a passkey on their device for quicker, easier login, usually with a biometric sensor, such as the Face ID facial recognition system on iPhones. The passkeys are stored securely in a vault on the device, allowing it to effectively function as the authenticator, verifying the user’s identity for the website or app.

Passkeys are quickly replacing traditional passwords as they offer numerous advantages to users and service providers. Users benefit from an enhanced experience because they do not have to create long complex passwords for each online account and then keep track of them and change them frequently; they can also log into their accounts with the touch of a button (or scan of a face). As such, passkeys are quicker to use and far more convenient for users.

More importantly, passkey security is far superior to traditional passwords. In fact, passkeys can often meet multifactor authentication (MFA) requirements, replacing the need for passwords and one-time passwords. Additionally, they can be synced across a user's devices, even if they use different browsers and operating systems.

How passkeys work?

So, how exactly do passkeys work? These login credentials are built with the WEB Authentication API security standard that is commonly used by most browsers and operating systems today. This uses public key cryptography to grant access, which means that individual keys are unique and protected with encryption. Additionally, credentials aren’t shared between a user’s device and website servers.

Devices and programs using passkeys require Bluetooth technology, and as such, the user must be in close physical proximity to complete the verification procedure. To begin with, the user must set up their passkey. This usually means unlocking their device and then creating a unique public key for the login using biometric authentication or a PIN. They can then opt to link the passkey to online accounts on that device and use it to sign into these accounts. Once this is done, each time the user tries to log into the linked accounts on their device, they will be able to use their passkey for authentication.  To enable this, the device creates two keys: a public one that’s shared with the website for validation and a private one stored on the device that authenticates access to the account.

Another thing to note is that passkeys can either be set up only on one specific device or synced across different devices. Many devices, software services – and even users – opt to sync passwords for convenience. For example, both Google Password Manager and Apple iCloud Keychain allow users to synchronize their passkeys across multiple devices so that they can seamlessly access all their programs and data. Users can also choose to sync passkeys using a particular software like Kaspersky Password Manager.

What are some passkey examples?

Many companies are now using passkeys because of the additional protections and security they offer users. As such, most people who use laptops and phones or have online shopping or payment accounts are likely already familiar with how passkeys work – even if they don’t realize it. Some of the most common passkey examples can be found on the following devices, programs, and sites:

• Google/Chrome (including on Android phones, Chromebooks or Android tablets, and the Chrome browser)
• Apple/Mac OS (including on iPhones and MacBooks, and the Safari browser)
• Microsoft
• Adobe
• eBay
• LinkedIn
• Nintendo
• Snapchat
• TikTok
• WhatsApp
• DocuSign
• Kayak
• PayPal
• Shopify
• GitHub
• Uber
• Amazon

What are the advantages of passkeys?

Once you understand passkeys and how these authenticators work, it becomes clear that they inherently offer many advantages. This is why so many companies are already using passkeys as the standard for user identity verification. So, what exactly are the benefits that passkeys offer?

Are passkeys convenient?

For users, the biggest advantage of passkeys is their convenience, which can significantly enhance the user experience on devices and online. Users don’t have to create and remember complex passwords for different accounts. They can quickly log into a device or account with fingerprint scans, facial recognition, or a PIN. After they set up a passkey, users can usually move seamlessly between their devices.

Are passkeys safe?

• Passkeys provide a highly secure alternative to traditional passwords, offering advanced protection for online accounts. Here are some key reasons why passkeys are considered safe and reliable:
• Perhaps one of the biggest benefits of using passkeys is that they are very safe, much more so than traditional passwords. Because of the technology that passkeys are built on and how they are used, they are far less vulnerable.
• Only public key is saved to servers – separate from the user's private keys, which are stored on the device – rather than passwords, which means passkeys are harder to compromise in a hack or data breach, through keylogging or dictionary attacks, for example.
• Passkeys can’t be stolen through phishing attacks because they only work on the websites and apps they’re registered to – as such, users can't be tricked into accidentally sharing their authentications on malicious sites that mimic real sites.
• Passkeys can be safer and more cost-effective than some two-factor authentication methods, such as one-time passwords.
• Malicious actors can’t steal passwords that are physically written down near a device, as can happen with passwords.
• Since passkeys require physical proximity to a device and the ability to unlock it, it’s more difficult for hackers to access.
• All passkeys are unique and built with an encrypted algorithm.

How do I set up a passkey?

Using passkeys can be a useful way for users to protect sensitive information and stay safe online. Here are the steps to follow if you want to set up passkeys on your online accounts:

• Ensure your device and operating system support passkeys - for example, you will need to run at least Windows 10, MacOS Ventura, or ChromsOS109 on a laptop or iOS16 or Android 9 on a phone.
• Check that your device has a browser that supports passkeys – at a minimum, it should be Chrome 109, Safari 16, or Firefox 122.
• Make sure that your device has screen locks and Bluetooth.
• Enable iCloud Keychain (for Apple Devices) or Google Password Manager.
• Navigate to the sign-in page of the account you want to create a passkey for.
• Create a new account or sign into your existing account.
• Go to account settings and enable the option for using passkeys.
• Save the passkey.

Once a passkey is set up on your device, you can easily sign into your account using passwordless authentication.

1. Navigate to the website or app on your phone.
2. Begin the login process.
3. When prompted, complete the login process with the appropriate verification - for example, this might be biometric authentication, such as the Face ID on an iPhone, or entering a swipe pattern on an Android phone.
4. The passkey saved on your device will complete the sign-in process automatically.

It is also possible to use third-party passkey providers such as Kaspersky Password Manager. In this case, users set up the passkeys directly within the provider’s system and then use this to log into accounts. The advantage of third-party passkey providers is that they usually automatically sync passkeys across different devices.

Passkeys vs passwords: The future of security

So, why are passkeys becoming more popular than passwords? The simple answer to this is that passkeys simply offer more benefits than traditional passwords. Users don’t have to create and remember complicated passwords across many accounts. More importantly, passkey security is very high – it’s very difficult for passkeys to be stolen, either physically or through phishing attacks or data leaks. They’re also incredibly convenient. Once users set up passkeys, they can quickly and easily sign into their accounts across all their devices, usually with the click of a button.

Related Articles:

• Tips for creating a strong and unique password
• What to do if your phone is lost or stolen
• Top 15 internet safety rules and what not to do online

Related Products:

• Kaspersky Premium
• Kaspersky Password Manager