What are Passkeys, how they work, and why they are better than passwords

For years, we’ve been told about the importance of complex passwords, changing them regularly, and using password managers. But despite all this, passwords remain the greatest weakness in digital security. They are easily stolen, difficult to remember, and the primary cause of successful phishing attacks. Now, a technology has arrived that aims to change all that: passkeys.

If you’ve recently created an account on services like Google, Apple, or PayPal, you’ve likely been offered the option to “Create a passkey.” While it might seem like just another fleeting technology, it represents a fundamental shift in how we log in to digital services—a shift that is more secure, faster, and simpler than any password.

What Is a Passkey, Exactly?

In the simplest terms, a passkey is a digital credential that replaces your password. It’s not something you remember or type. Instead, it is stored securely directly on your device—your phone, computer, or tablet.

Technically, it’s based on public-key cryptography. When you create a passkey for a website, your device generates a unique pair of cryptographic keys:

1. A private key: This remains securely locked on your device (e.g., in the Secure Enclave chip on an iPhone or the TPM chip on a Windows PC). This key never leaves your device and is your secret.
2. A public key: This is sent to the website or service (e.g., Google) and stored there. As its name suggests, it is public and useless without its private counterpart.

How Does Logging In with a Passkey Work?

Although the background technology sounds complicated, the user experience is incredibly simple. The login process takes place in a few steps and lasts only a second:

1. Initiate Login: You choose to sign in with a passkey on the website.
2. The Challenge: The website sends a unique, one-time “challenge” to your device.
3. Identity Confirmation: Your device prompts you to confirm your identity—usually via biometrics (fingerprint, face scan) or by entering your device’s PIN.
4. Digital Signature: After your confirmation, the device uses the private key to digitally “sign” the challenge it received from the website.
5. Verification: The signed challenge is sent back to the website, which uses your public key to verify it. If the signatures match, the login is successful.

The entire process happens in the background. For you as a user, the login looks like this: you click “Login,” place your finger on the sensor, and you’re in.

Why Are Passkeys Superior to Passwords?

The advantages are enormous and solve nearly all problems associated with passwords:

• Phishing Resistance: A passkey is cryptographically tied to the specific domain of the website. Even if a scammer tricks you into visiting a fake site that perfectly mimics the real one, your device will not allow the passkey to be used because the domains don’t match. Phishing as we know it becomes nearly impossible.
• Security from Data Breaches: Since servers only store your public key, your login credentials are safe even if a company suffers a massive data breach. The private key, which is the only one that matters, remains secure on your device.
• Simplicity and Speed: No more remembering, typing, or resetting forgotten passwords. Logging in is as fast and intuitive as unlocking your phone.

Passkeys Syncing and Cross-Device Use

What if you create a passkey on your phone but want to log in on your computer? The major tech companies behind this standard (the FIDO Alliance), including Apple, Google, and Microsoft, have solved this problem.

Passkeys automatically sync through your ecosystem, for example, via iCloud Keychain or Google Password Manager. A passkey created on your iPhone will be immediately available on your Mac and iPad.

For logging into a device outside your ecosystem (e.g., logging into a Google account from an iPhone on a hotel’s Windows PC), the process is also simple. A QR code will appear on the computer screen. You scan it with your phone, confirm your identity on your phone with a fingerprint, and the login on the computer is approved via a Bluetooth connection.

Is This the End for Passwords?

Although the technology is ready and supported by the biggest players, the transition will take time. All websites and applications need to implement support for passkeys. However, the process is in full swing. Passkeys represent the most significant leap forward in digital security in the last decade. It’s time to start embracing the passwordless future.