Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Passkeys let you sign in without typing or remembering passwords.
- Unlike passwords, they’re resistant to phishing.
- Syncable passkeys make secure sign-ins easy across devices.
Over the past year or so, passkeys have hit the mainstream. The rate of adoption for this technology has been remarkable, and it shows no sign of slowing down. If your experience is like mine, you’re probably invited to save a new passkey at least once or twice a week.
All told, I now have at least 40 saved passkeys. I can use those passkeys to skip the password prompt completely and sign in with biometrics (face or fingerprint) at dozens of websites, including mainstream shopping destinations like Costco, Target, Amazon, and Walmart, as well as more technical sites like Dell, Adobe, and Dropbox. The company that manages my domain name registrations uses passkeys, as does the power company, my credit union, and my physician’s office.
Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think
But I still hear from readers who don’t quite understand what a passkey is, how it works, or why it’s better than a password.
After a lengthy online exchange on the subject with a friend who finally achieved an “Aha!” moment, I think I figured out why the topic is so confusing: A passkey is not a tangible thing — it’s an abstraction. As a result, most attempts to explain the technology get bogged down in technical details.
Even the least technical person you know can tell you what a password is — some combination of letters and numbers, with maybe a symbol thrown in. You can create your own password using a common word or a name or a date, and you can even write it down on a sticky note. If you’re like most people, you regularly reuse the same password, or some variation of it, even though you know that’s probably a bad idea.
Also: How passkeys work: The complete guide to your inevitable passwordless future
A passkey, on the other hand, is difficult to describe. If I tell you it’s a secure digital credential generated from a public key and a private key, can you form a mental image to go with those words? Probably not. Burying the definition in more technical details won’t help.
But I think we can get there, together, in plain (mostly) non-technical language without a bunch of jargon, just by going through the questions I keep hearing from readers.
What is a passkey?
A passkey is a secure, saved credential that allows you to sign into a specific website or web service by proving your identity with biometrics or a PIN. Passkeys are defined using the Web Authentication (WebAuthn) standard.
What happens when you create a passkey?
When you create a passkey, you’re actually generating and saving two matching pieces of encrypted digital information — one on the website or service you’re signing into (this is referred to in the standard as the relying party), and a second on your device. Those keys can only work together; one is useless without the other.
Here’s how it works:
You go to a website and sign in as usual with your password. After you sign in, you see a message: Would you like to create a passkey? And you say, “Why, yes, I would.” Or, if the website doesn’t offer to help you create a passkey, you find the option on the security settings page for your account. The following screenshot shows what you see at Dell.com, for example.
You might need to dig into settings to create a passkey for a website or service
Screenshot by Ed Bott/ZDNET
You’ll need to choose which authenticator to use for creating the passkey (more on that in a moment), but beyond that, you don’t need to do anything else. You’ve already signed in using your password, so the website knows you’re authorized to use that account.
The website or service you’re connecting to saves a unique encryption key on its server, and your authenticator (your device or password manager) generates a second unique, private encryption key and stores it in a secure location on your device.
That’s the passkey — two secrets, one on each end, that work together to establish your right to use the account. Your username and password are no longer involved, and no one can ever see the private encryption key on your computer, not even you.
Which authenticator should I use?
When you create a passkey, you choose which authenticator to use. The default location is the device itself, such as a PC that supports Windows Hello biometric authentication. You can also choose a password manager that supports passkeys or even use a hardware security key.
Why does that matter? If you use your PC or mobile device or a hardware security key as the authenticator, you’re creating a device-bound passkey. It will only work in conjunction with that hardware. If you try to sign in on a different device, or if the hardware security key isn’t handy, you won’t have access to that passkey.
By contrast, a password manager can save syncable passkeys that you can use on multiple devices. Google Password Manager and iCloud Keychain can sync your passkeys across devices. So can third-party password managers like 1Password or Bitwarden. (For an up-to-date list of passkey authenticators, see this GitHub page.)
See also: Windows 11 users just got a more convenient way to store passkeys
If you’re already accustomed to using a password manager that supports passkeys, that’s your best choice. You’ll be able to create, manage, and use passkeys using the same interface you’ve already been using.
And here’s a power tip: You can use multiple passkey authenticators and create multiple passkeys for the same site. For some high-value sites, I’ve created passkeys on two or more hardware keys and in 1Password, giving me a choice of ways to securely log in to those sites, even on unfamiliar hardware.
How do you use a passkey?
When you visit a website where you previously created a passkey, you enter your email address or username as usual, but instead of seeing a box where you enter a password, you see a message: Would you like to sign in with your passkey? You say yes and click the button for your saved passkey.
You need to prove your identity before you can save a passkey
Screenshot by Ed Bott/ZDNET
The website sends its key to your PC or password manager to be authenticated and says, in effect, “The individual associated with this key would like to access their account. You OK with that?”
Your authenticator (Windows Hello on a PC, iCloud Keychain on an Apple device, or a hardware key) confirms that the request is coming from a valid source and not a phishing website; then it checks that key against the information saved in your passkey, confirms that they are a match, and asks you to identify yourself with biometrics or a PIN.
Also: You already use a software-only approach to passkey authentication
When you do that, the authenticator tells the website that you’ve proved your identity and that you have a matching passkey. You’re now signed in, just as you would have been if you had used your password.
Your PC or password manager never sent the passkey to the website, so it couldn’t be intercepted or copied. All it did was affirm that you are you and the passkey is a match.
Where are passkeys stored?
Your passkeys are stored in a secure location on your phone or computer, protected by cryptographic hardware — the TPM on a Windows PC, the Secure Enclave on a Mac or iOS device, or a Trusted Execution Environment on an Android device.
Only the authenticator can access a passkey, and it can only do so after you’ve proven your identity. Passkeys aren’t accessible to the file system, which means you can’t use File Explorer or Finder to scroll through your collection of passkeys.
Also: Apple, Microsoft, or Google: Whose platform authenticator rules our passkey future?
You can’t open a passkey and inspect its contents. You can’t make a copy of a passkey that’s saved on your phone or computer, and you can’t accidentally use a passkey if a bad guy fools you with a fake website designed to look like a legitimate one.
What happens to my password after I create a passkey?
Someday, many years from now, we might live in a passwordless world. That day is not today.
Also: How to easily set up passkeys through my password manager
For now, passkeys are an alternative to passwords, and your password typically remains available as a way to sign in to a site where you have created a passkey. Some services will allow you to remove a password after creating multiple passkeys — you can do that with your Microsoft account, for example — but those options are still rare.
Why is a passkey safer than a password?
When you use a password, here’s what happens: You go to a website, enter your username and password, and click a button. If everything goes well, you’re signed in. But there are many things that can go wrong.
For starters, passwords can be phished. If a bad guy can build a website that looks like your bank’s sign-in page, you might be fooled into entering your password there, at which point the bad guy can sign in as you and steal the funds in your bank account.
Passwords can be guessed, either with brute force attacks that try every possible combination of letters, numbers, and symbols, or by an attacker who figures out your easy-to-guess password. Just ask Donald Trump, whose Twitter account passwords were not hard to guess — yourefired in 2014 and maga2020! six years later.
Also: How I replaced my Microsoft account password with a passkey
Passwords can also be stolen. A keylogger or remote access Trojan can send your passwords to an attacker, or they can use the extremely low-tech option of “shoulder surfing” — watching as you type your username and password, perhaps with the help of a video camera.
Even if your opsec is perfect, you can still have your password hijacked if the website does a lousy job of storing and securing it.
Finally, you could (unwisely) reuse that username and password combination at other sites, and you would be vulnerable if the password for one site ever got leaked or phished.
Passkeys are immune to those attacks. A skilled phisher might fool you into thinking a fake website is real, but it will never have access to the passkey, because the domain and the associated encryption key don’t match. And it can’t be stolen, because it never leaves its secure repository on your device.
The only way to unlock it is if you identify yourself with biometrics or a PIN after your authenticator gets a legitimate request from a remote server.
Do I need to worry about making passkeys unique?
For years, you’ve been reading advice columns that tell you how important it is to have a unique password for each site. So, do you need to exercise the same level of caution and create a unique passkey for each site that allows for them?
Ha! That’s almost a trick question. Passkeys are unique by definition. Each passkey is made up of two separate encryption keys that are generated for use only with the site or service where it was created.
You can, however, have multiple passkeys for a single site. If they are device-bound, then you might have one for your laptop and one for your phone. Or you might have one or more hardware keys like a YubiKey. As I mentioned earlier, creating syncable passkeys in your password manager is the most convenient option.
Comments are closed, but trackbacks and pingbacks are open.