There’s a reason everyone is working on a way to replace passwords. They’re often easy to guess, hard to remember, and changing them after every data breach is a pain, even if you do have a password manager. Thankfully, the Fast Identity Online (FIDO) Alliance developed passkeys, a new authentication technology that eliminates the need to enter your email address or a password into login fields around the web, and they’re gaining popularity. For example, Microsoft deleted passwords from its authenticator app in August, but left in support for passkeys.
Passkeys offer numerous benefits; for example, they cannot be guessed or shared. Also, passkeys resist some phishing attempts because they’re unique to the sites they’re created for, so they won’t work on fraudulent lookalikes. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company’s server or database, making the stolen data far less valuable to criminals.
You can now use passkeys on various apps and websites, but what are they? Should you use them? Are they really more secure than traditional login credentials? Let’s talk about it.
What Is a Passkey?
When a public key and a private key combine, they create a passkey that can unlock your account. Here’s how it works: Apps or websites store your unique public key. Your private key is stored on your device, in your password manager, or, if you’re an Apple user, in your iCloud keychain. After your device (or iCloud) authenticates your identity, the two keys combine to grant you access to your account.
(Credit: 1Password/PCMag)
To learn how to set up passkeys for your online accounts, check out our guide to setting up and using passkeys.
Are Passkeys Really More Secure Than Passwords?
Allowing users to login using a passkey isn’t the only update website owners need to ensure website security. To find out more about the risks, I spoke with Trevor Hilligoss, security researcher and vice president of SpyCloud Labs at SpyCloud. Hilligoss tells me that widespread passkey adoption is “fantastic,” but website owners must also fix other security holes. He noted that criminals can easily get around a passkey by stealing users’ validated browser cookies using malware.
“You can use a passkey, you can use a password manager, you can use ‘yourdog’sname2023,’ whatever. It doesn’t really matter because authentication has already happened by using that cookie,” Hilligoss says. “Criminals are emulating an already authenticated session. So from the perspective of the website, it just sees that it’s a valid cookie.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Hilligoss says that once a website, like your email service, validates the cookie, the criminal doesn’t need to log in using your credentials or authenticate their identity. The validated cookie, which lasts on a person’s browser until it expires over a period of seconds or years, allows criminals to enter your accounts undetected and steal your data or money.
The onus is on website owners to find a solution for cookie hijacking. Hilligoss tells me that the rest of us can protect ourselves from the cookie hijacking threat by using passkeys or strong and unique passwords wherever we can. He adds that some websites allow users to choose when their session tokens expire.
You know the data privacy pop-up screens? Don’t immediately tap “Accept.” Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way, your cookies will expire automatically or whenever you close your browser window.
Recommended by Our Editors
Common Passkey Complaints
Passkeys are newer than passwords, so naturally, there have been some growing pains during the widespread adoption phase. Below, I’ll highlight some of the issues I’ve had when using passkeys and some complaints I’ve seen about passkeys around the web.
-
Passkey terminology can be confusing. Because the technologies became popular around the same time, many people seem to believe that 2FA options like biometric authentication, authenticator apps, and hardware security keys are the same as passkeys.
Passkeys perform multifactor authentication. You should be able to log into a website using only the passkey; there is no need for a password and username. Depending on your privacy and security settings, the iCloud account, device, or password manager where you’ve stored a passkey may require you to unlock it by using your face, fingerprint, or passcode.
-
Passkeys may not be accessible on all computers or devices. What if you lose your phone? What if you need to log into an account on a public computer? I’ve been locked out of a TikTok account for a year due to a missing passkey. If you don’t have access to a device that’s connected to your iCloud account, or if you can’t get into the password manager you use to store passkeys, you won’t be able to log in without a lot of hassle.
How Can I Keep Track of My Passkeys?
Speaking of password managers, many of the services I’ve reviewed for PCMag, such as Editors’ Choice award winners NordPass and Proton Pass, can store and generate passkeys for you. Android and iOS users can store passkeys using the built-in Apple Passwords app or Google Password Manager.
The Best Password Managers With Passkey Storage
Microsoft is doing its part to eliminate passwords by encouraging its customers to use passkeys and making all new accounts password-less by default. The company even removed the password management functions from Microsoft Authenticator, but preserved the passkey storage options.
A password manager makes it easy to access both your old credentials and new passkeys when you log in. Check out this list of our top picks for password managers.
About Our Expert
Kim Key
Senior Writer, Security
Experience
I review privacy tools like hardware security keys, password managers, private messaging apps and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.
In addition to the below categories, I also exclusively cover adblockers, authenticator apps, hardware security keys, and private messaging apps.
Read Full Bio
