I’m sick of passwords. They’re somehow both easily guessable and hard to remember, and keeping them out of the hands of criminals is tough. To solve that problem, the Fast Identity Online (FIDO) Alliance developed passkeys, a form of authentication technology. Passkeys eliminate the need to enter your email address or password into login fields all around the web.
Passkeys have plenty of benefits; for example, they cannot be guessed or shared. Passkeys are resistant to phishing attempts because they're unique to the sites they're created for, so they won't work on fraudulent lookalike sites. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company's server or database, making the data extracted in such breaches less valuable to criminals.
We are encouraged to see many companies adopting passkeys. But what are they? Should you use them? Are they really more secure than traditional login credentials? Let's talk about it.
What Is a Passkey?
A passkey is a way to log in to apps and websites without using a username and password combination. It's a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account.
Apps or websites store your unique public key. Your private key is only stored on your device, and after your device authenticates your identity, the two keys combine to grant you access to your account. We tell you how to put this into practice in our guide for setting up and using passkeys.
Usually, the device or software generating the passkeys uses a biometric authentication tool, such as FaceID or TouchID, to authenticate your identity. If a password manager is the passkey source, you can log in to the app using a strong master password instead of biometric authentication. Passkeys are unique to each app or website and stored in a password manager's vault or your device's keychain. Passkeys can sync across devices, making them a convenient choice.
(Credit: 1Password/PCMag)Where Can You Use Passkeys?
You can use passkeys to log in to many websites, including Best Buy, eBay, Google, Kayak, and PayPal. Password management company 1Password maintains a community site where users can report websites that accept logins using passkeys. Currently, some of the sites on that list still require a traditional username and password for initial account creation and logins, but you can set up a passkey to use for future logins by visiting the Settings menu.
Swift passkey adoption by major apps and websites is encouraging, but it may take time for passkey adoption for websites owned by individuals or small companies. Some sites don't even support multi-factor authentication yet, so we may have to wait a while for the newest FIDO security standards to completely eradicate passwords.
Are Passkeys Really More Secure Than Passwords?
"You have passkeys? That's fantastic. But there are things that criminals are going to do that are going to circumvent these kind of protections and we need to talk about how we can overcome that."
Allowing users to login using a passkey isn't the only update website owners need to ensure website security. Earlier this year, I got a chance to chat about passkey adoption and other cybersecurity trends with Trevor Hilligoss, a security researcher and vice president of SpyCloud Labs at SpyCloud. Hilligoss told me that widespread passkey adoption is "fantastic," but website owners really need to fix some other security holes, too. He noted that criminals can easily get around a passkey by stealing users' validated browser cookies using malware.
"You can use a passkey, you can use a password manager, you can use 'yourdog'sname2023', whatever. It doesn't really matter because authentication has already happened by using that cookie," Hilligoss said.
"Criminals are emulating an already authenticated session. So from the perspective of the website, it just sees that it's a valid cookie."
Hilligoss went on to explain that once a website, like say, your email service, validates the cookie, the criminal doesn't even need to log in using your credentials or authenticate their identity. The validated cookie, which lasts on a person's browser until it expires over a period of seconds or years, allows criminals to enter your accounts undetected and steal your data or money.
The onus is on website owners to find a solution for cookie hijacking. Hilligoss told me that the rest of us can protect ourselves from the cookie hijacking threat by using passkeys or strong and unique passwords wherever we can. He also said that some websites allow users to choose when their session tokens expire. You know the data privacy pop-up screens? Don't immediately tap "Accept." Instead, navigate to the "Cookies" or "User Data" sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.
How Can I Keep Track of My Passkeys?
Many of the password managers I've reviewed for PCMag, such as Editor's Choice award winner Bitwarden, plus 1Password and Dashlane, can store and create passkeys for you. A password manager makes it easy to access both your old credentials and new passkeys when you log in.
If you don't use a password manager, it's not too late to try being more secure with your personal data. Android and iOS users can store their passkeys locally and access them using the keychain app on their mobile devices.