This is part 1 of our series on passkeys. Part 2, on privacy, is here.
A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
First off: is a passkey one of those little plastic things you stick in your USB port for two-factor authentication? No, that’s a security key. More on security keys in a minute. A passkey is also not something you can type in; it’s not a password, passcode, passphrase, or a PIN.
A passkey is approximately 100-1400 bytes of random data1, generated on your device (like your phone, laptop, or security key) for the purpose of logging in on a specific website. Once the passkey is generated, your browser registers it with the website and it gets stored somewhere safe (for instance, your password manager). From then on, you can use that passkey to log in to that website without entering a password. When you go to a website’s login page, you’ll have the option to “Sign in with a passkey.” If you choose that option you’ll get a confirmation prompt from your password manager, and will be logged in after confirming. For all this to work, there needs to be passkey support in the website, your browser, your password manager, and usually also your operating system.
You can create many passkeys: each passkey unlocks a single account on a single website. For multiple accounts on a single website, you can have multiple passkeys for that website. For instance, if you have a social media account for personal use and one for business, you would have different passkeys for each account.
You can usually have both a password and a passkey on your account2, and can log in with either. Logging in with a passkey is generally faster, since your password manager will offer to do it in a single click, instead of the multiple clicks that logging in with a password usually takes. Also, logging in with a passkey typically lets you skip traditional two-factor authentication (SMS, authenticator app, or security key).
Why is it safe for passkeys to skip traditional two-factor authentication? Passkeys build in a second factor. Each time you use the passkey to log in, your browser or operating system may ask you to re-enter your device unlock PIN. If you use a fingerprint or facial recognition to unlock your device, your browser might instead request you re-enter your fingerprint or show your face, to confirm that it’s really you asking to log in. That gives two factors of authentication: the device that stores your passkey is something you have, and it’s accompanied by something you know (the PIN) or something you are (a fingerprint or a face).
Storage and Backup
A passkey stored on just one computer or phone isn’t that useful. What if you want to log in from a different device? What if your device falls in the toilet? There are at least three solutions here and they’re very different, which is part of why passkeys are in practice three very different things.
- Solution 1: Passkeys are stored in the password manager, which encrypts them, backs them up to the cloud, and helps you copy them onto all of your devices.
- Solution 2a: Passkeys are created and stored in a physical security key that you plug in via USB3. To log in on a different device, you plug in the security key when prompted. Passkeys created this way can’t be copied. Only recently-made security keys support this.
- Solution 2b: Passkeys are created and stored on a high-security chip built into your computer or phone (for instance, a TPM or Secure Enclave, available on most devices made in the last few years). Like solution 2, these passkeys can’t be copied.
Solutions 2a and 2b are less convenient (and solution 2a costs a little bit of money, to buy a security key). But they offer a higher level of security against someone stealing your devices. With solution 1, someone who steals your computer might be able to copy the passkeys if your password manager is unlocked.
Also, solutions 2a and 2b don’t really solve the “device falls in toilet” problem. If you’re using one of those solutions, you should have multiple passkeys stored on different devices as backup. Alternatively you may wind up relying on email-based account recovery.
If you’re using solution 1, you trust your password manager to keep your passkeys secure. Also note that password managers generally won’t let you export a copy of your passkeys for offline backup.
How do passkeys prevent phishing?
Each passkey contains a record of which domain name the passkey was created for. If someone sends you a link to a login page on a lookalike domain name, you may be fooled but your browser will not, since browsers can easily check for an exact match. So your browser will not send the passkey to the lookalike domain name and you’ll be safe.
However, so long as you still have a memorized password in addition to your passkey, a lookalike site could tell you your passkey isn't working and you need to enter the password instead. If you do enter the password, the phishing attack will succeed. So phishing is still possible, but someone who typically logs in on a given site with a passkey is more likely to get suspicious when asked to enter a password instead, which provides some protection even if it’s not complete protection.
Should I use passkeys?
Like all security and privacy topics, the answer is “it depends.” But for most people, passkeys are a good idea. If you’re already using a password manager, generating long unique passwords for each website, and always using the autofill features to log in (i.e. not copy-pasting passwords), passkeys will provide a slightly higher level of security with significantly more convenience.
If you’re not already using a password manager, passkeys will be a tremendous increase in security (and will also require you to start using a password manager).
For sites where you are using two factor authentication (2FA), passkeys will be much more convenient, and may be more secure. SMS or authenticator app 2FA methods are vulnerable to phishing attacks, since a fake site can ask you for the one-time code and pass it along to the real site along with your phished password. Passkeys are more secure than SMS or authenticator app 2FA because they aren’t vulnerable to phishing; your browser knows exactly which site goes with which passkey, and isn’t tricked by fake websites.
Security key 2FA also isn’t vulnerable to phishing, so switching from security key 2FA to a passkey is mainly a matter of convenience; it means one less step during login, and one less password to remember. If you store your passkeys on a security key (protected with a PIN or biometric), you’ll achieve similar results as security key 2FA. If you store your passkeys in a password manager instead, that’s slightly less safe, because anyone who gains access to your password manager can use your passkeys, without needing physical access to your security key.
As of late 2023, passkey support is very uneven, particularly for syncing. For instance, Adam Langley says “Windows Hello doesn’t sync at all, Google Password Manager can only sync between Android devices, and iCloud Keychain only works on Apple devices.” Even once those problems are solved, cross-ecosystem syncing (for instance between iOS and Windows) will remain a big problem. Third-party password managers 1Password, Bitwarden, and Dashlane have passkey support and can sync across ecosystems. But they don’t necessarily support all platforms yet (for instance, 1Password doesn’t fully support passkeys on Android as of October 2023). If you want to try out passkeys on a throwaway account, you can create one on passkeys.io or webauthn.io.
If you like being an early adopter, go ahead and give passkeys a try. You may run into stumbling blocks along the way and have to fall back to that embattled ancient tool, the password.