What are passkeys? Here’s the next big sign-in method

Passkey button

Passwords have evolved over time, with companies requiring longer, more complex ones to deal with increased sophistication of hackers trying to break into accounts. Two-factor authentication has also appeared as a way to strengthen security while requiring more work from the user and involving apps, text messages, hardware keys, and more. But is the day finally coming where passwords will no longer be a fixture of our digital lives?

That’s been the promise of passkey, a new industry standard that’s recently been adopted by iPhone, with iOS 16. Ventura, the new operating system for Mac, also supports passkey. Other major device makers are expected to add passkey capability very soon.

Instead of relying on a username and password combination, passkey lets you validate your identity right from your device using your biometrics (faceprint or fingerprint) or PIN. What happens behind the scenes is cryptographically secure, while allowing you to avoid the risks that come with the use of weak passwords.

Read more: Video: Best ways to store your passwords

Passkey vs. password: What’s the difference?

The obvious difference is that passkeys don’t require a username and password combination to log in to your accounts. All you need is a username, and replacing a password is your personal device and your fingerprint, face, or PIN. You’ll also need a Bluetooth connection if you’re using your phone to authenticate on a different device (say, a laptop).

So they’re convenient. But passkeys are also seen as more secure. Here’s why.

Password weaknesses

Passwords are far from perfect. It’s a hassle to remember multiple passwords, especially if they are long and complicated—which is how strong passwords should be. Many of us have used the same password for multiple websites, which is a risky practice, since if the password is discovered for one account, an attacker could try the same password on other accounts. (A password manager can go a long way to help you store your numerous passwords, protected by just one primary password.)

Passwords can be breached. Think of the data breaches we keep hearing about that give up user passwords. There is nothing that individual users can do to prevent these incidents. Passwords can also be discovered through phishing attacks, when users are tricked into giving up their logins to cybercriminals. Hackers can also use brute force attacks to try lots of passwords, to which accounts with weak passwords are particularly vulnerable.

Passkey benefits

Passkeys are not susceptible to the main risks associated with setting passwords. For someone to log in as you, they would need to have your physical device. Even then, without your biometrics (or PIN) they wouldn’t be able to gain access.

Using passkeys means data breaches won’t compromise your login. If someone hacks into a company server, for instance, they wouldn’t be able to discover your password—because it doesn’t exist. As long as they don’t have your device, they don’t have anything useful for breaking into your account.

This also means you don’t have to worry about the risk of repeating passwords. You simply are not using passwords.

Read more: This is how much time you waste resetting your passwords

How do passkeys work?

Passkeys use cryptographic methods to authenticate your identity. Created using an algorithm, every passkey is cryptographically strong and unique. When you set up an account using a passkey, two keys are generated—a public key and a private key. Both are needed to sign in to the account.

The public key is stored on the server and is not a secret. The private key is what is needed to sign in. The server never learns what the private key is.

When logging in, the user’s identity is authenticated on the device via biometrics (or PIN), and the private key authenticates the user to the account. No shared secret is transmitted, and the server does not need to protect the public key.

How to use passkeys on iOS?

With the rollout of iOS 16, iPhone users get to use passkeys. Passkeys can be used across all your Apple devices, with each passkey stored on your iCloud Keychain. All you need to do is sign in with the same Apple ID on all devices. Passkeys are also supported on macOS Ventura and iPadOS 16.

How to create an account with a passkey on iPhone:

  1. On a passkey-supported website, start creating an account. A prompt will appear asking if you want to set up a passkey.
  2. Next, you’ll be asked to choose how you want to sign in. For the majority of users, select “iPhone, iPad or Android device.”
    How to create an account with passkey
  3. Scan the QR code with your iPhone and tap the blue “Continue” button.
  4. Complete the Face ID (or Touch ID) scan. You will be asked to enter your PIN if you don’t have biometric authentication enabled.
  5. That’s it! You’ve created your account.
    How to create an account with passkey

How to sign in with a passkey on iPhone:

  1. When signing in to an account previously set up to use passkey, select the “Sign in with passkey” option.
  2. On the prompt, tap on the blue “Continue” button.
    How to sign in with passkey
  3. Unlock your device with Face ID, Touch ID, or by entering your PIN.
  4. You’re logged in!
    How to sign in with passkey

Not all websites support passkeys, and the ones that do will not force you to use them. Want to give passkeys a go? Try it on the passkey demo website.

What sites are using passkey?

Passkey is the passwordless standard created by the FIDO Alliance and the World Wide Web Consortium, together with Apple, Google, and Microsoft. Passkey works across different operating systems and browser ecosystems and can be used for websites and apps.

Google

Google has brought passkey support to Android and Chrome. If you’re an Android or Chrome user, you can already use passkey on supported websites and apps, though the feature is in beta. Google promises a stable release for passkey by the end of 2022.

As passkey is an industry standard, the feature works the same as it does on Apple devices. On Android and Chrome, your passkey will be tied to your Google Account and securely stored in Google Password Manager.

Microsoft

If you’re a Windows PC user, Microsoft will roll out passkey support in 2023. It will likely be integrated with the Microsoft Authenticator app, which already offers passwordless logins. Microsoft will also support passkey logins for its services, like Microsoft 365, on Apple and Google’s platforms.

PayPal

PayPal has made passkey available as a login option for their customers. If you’re using an Apple device running iOS 16, iPadOS 16, or macOS Ventura, or above, you can use passkey to log in to PayPal. Passkey logins will be available for platforms like Android once the feature is fully supported.

WordPress

Passkey is available for WordPress websites via iThemes Security Pro. To enable Passkey logins, head to your WordPress dashboard. Head to the Security section and the Settings tab on iThemes Security Pro. Next, click on Login Security under Features and toggle Passkeys on. Once you’ve enabled Passkey logins, head to your WordPress Admin Menu and enable the feature for your users.

Others

EBay, the travel app Kayak, retailer Best Buy and more also support passkey. Support is being gradually added to more websites and apps. Once Google rolls out the feature to developers, the two major platforms (Android and iOS for mobile, Chrome and Safari for browsers) will support Passkey, and adoption is expected to soar.

Will passkeys replace passwords?

Probably, though not in the immediate future. Passkey represents a rare alliance between Apple, Google, and Microsoft, but it is still in its infancy, and adoption is low. Once the feature rolls out onto Google and Microsoft platforms, more developers will implement passkeys in their services.

For the time being, the username and password combination remains the default, and passkeys will not be forced onto users at this point. While it’s not fully here yet, a passwordless future is on the horizon.

FAQ: About passkeys

What websites use passkeys?
Can you use passkeys on macOS?
Can you use passkeys on Windows?
Can you use passkeys on Android?
Can you use passkeys on ChromeOS?
Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

Various devices protected.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
Sentient AI scouring the internet for photos of Paddington bear photoshopped into other movies and shows.