Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Passkeys lets you sign in without typing or remembering a password.
- Unlike passwords, they are resistant to phishing.
- Synchable passkeys make secure sign-in easy across devices.
In the past year or so, passkeys have gone mainstream. The rate of adoption of this technology has been remarkable, and shows no signs of slowing down. If your experience is like mine, you’re probably invited to save a new passkey at least once or twice a week.
All told, I now have at least 40 saved passes. I can use those passkeys to skip the password prompt altogether and sign in with biometrics (face or fingerprint) on dozens of websites, including mainstream shopping destinations like Costco, Target, Amazon, and Walmart, as well as more tech sites like Dell, Adobe, and Dropbox. The company that manages my domain name registration uses a passkey, as does the electric company, my credit union, and my doctor’s office.
Also: I’m removing the password for Passkey for a reason – and it’s not what you think
But I still hear from readers who don’t understand what a passkey is, how it works, or why it’s better than a password.
After a long online conversation on this topic with a friend I finally had an “Aha!” In a moment, I think I figure out why the topic is so confusing: Passkey isn’t a tangible thing – it’s an abstract thing. As a result, most attempts to explain the technology remain bogged down in technical details.
Even the least technical person you know can tell you what the password is – some combination of letters and numbers, maybe with a symbol. You can create your password using a common word or name or date, and you can even write it on a sticky note. If you’re like most people, you regularly reuse the same password or some variation of it, even if you know it’s probably a bad idea.
Also: How Passkey Works: The Complete Guide to Your Inevitable Passwordless Future
A passaki, on the other hand, is harder to describe. If I tell you it’s a secure digital credential generated from a public key and a private key, can you create a mental image to go with those words? Probably not. Burying the definition in more technical details won’t help.
But I think we can reach that together, in clear (mostly) non-technical language without any jargon, just through the questions I keep hearing from readers.
What is passkey?
A passkey is a secure, saved credential that allows you to sign in to a specific website or web service by proving your identity with biometrics or a PIN. Passkeys are defined using Web Authentication (WebAuthn) Standard,
What happens when you make a passkey?
When you create a passkey, you are actually generating and saving two matching pieces of encrypted digital information – one on the website or service you are signing in to (in the standard it is referred to as relying party), and one second on your device. Those keys can only work together; One is useless without the other.
This is how it works:
You go to a website and sign in with your password as usual. After signing in, you see a message: Would you like to create a passkey? And you say, “Why, yes, I would.” Or, if the website doesn’t offer to help you create a passkey, you can find the option on the security settings page for your account. For example, the following screenshot shows what you see on Dell.com.
To create a passkey for a website or service you may need to go to Settings
Screenshot by Ed Bott/ZDNET
You’ll need to choose which authenticator to use to generate the passkey (more on that in a moment), but other than that, you don’t need to do anything else. You’ve already signed in using your password, so the website knows you’re authorized to use that account.
The website or service you’re connecting to saves a unique encryption key on its servers, and your authenticator (your device or password manager) generates a second unique, private encryption key and stores it in a secure location on your device.
That’s the passkey – two secrets, one at each end, that work together to establish your right to use the account. Your username and password are no longer included, and no one can see the private encryption keys on your computer, not even you.
Which authenticator should I use?
When you create a passkey, you choose which authenticator to use. The default location is the device itself, such as a PC that supports Windows Hello biometric authentication. You can also choose a password manager that supports passkeys or use a hardware security key.
Why does that matter? If you use your PC or mobile device or a hardware security key as an authenticator, you are creating a device-bound passkeyIt will only work in conjunction with that hardware, If you try to sign in on a different device, or if the hardware security key isn’t working, you won’t have access to that passkey,
In contrast, a password manager can save synchable passkeys that you can use across multiple devices. Google Password Manager and iCloud Keychain can sync your passkeys across devices. Third-party password managers like 1Password or Bitwarden can do the same. (For an updated list of passkey authenticators, see this GitHub page,
SEE ALSO: Windows 11 users get a more convenient way to store passkeys
If you’re already accustomed to using a password manager that supports Passkey, this is your best option. You’ll be able to create, manage, and use passkeys using the same interface you already use.
And here’s a power tip: You can use multiple passkey authenticators and create multiple passkeys for the same site. For some high-value sites, I’ve created passkeys based on two or more hardware keys and 1 password, giving me a choice of ways to log in securely to those sites, even on unfamiliar hardware.
How do you use passkey?
When you visit a website where you previously created a passkey, you enter your email address or username as usual, but instead of seeing a box where you enter the password, you see a message: Would you like to sign in with your passkey? You say yes and click the button for your saved passkey.
You must prove your identity before saving your passkey
Screenshot by Ed Bott/ZDNET
The website sends its key to your PC or password manager to be authenticated and essentially says, “The person associated with this key would like to access their account. Do you agree to this?”
Your authenticator (Windows Hello on a PC, iCloud Keychain on an Apple device, or a hardware key) confirms that the request is coming from a legitimate source and not a phishing website; It then checks that key against the information saved in your passkey, confirms they match, and asks you to identify yourself with biometrics or a PIN.
Also: You already use a software-only approach to passkey authentication
When you do this, Authenticator tells the website that you have proven your identity and have a matching passkey. You are now signed in, just as you would have been if you had used your password.
Your PC or password manager never sent the passkey to the website, so it can’t be intercepted or copied. All this confirmed was that you are you and the passkey is a match.
Where are the passes stored?
Your passkeys are stored in a secure location on your phone or computer, protected by cryptographic hardware – TPM on a Windows PC, Secure Enclave on a Mac or iOS device, or a Trusted Execution Environment on an Android device.
Only the authenticator can access the passkey, and he can do so only after you prove your identity. Passkeys are not accessible to the file system, which means you can’t use File Explorer or Finder to scroll through your collection of passkeys.
Too: Apple, Microsoft, or Google: Whose Platform Authenticator Rules Our Near Key Future?
You cannot open the passkey and inspect its contents. You can’t copy the passkey saved on your phone or computer, and you can’t accidentally use the passkey if a bad guy fools you with a fake website designed to look like a legitimate website.
What happens to my password after I create a passkey?
Someday, many years from now, we may live in a password-less world. That day is not today.
Also: How to Easily Set a Passkey Via My Password Manager
For now, the passkey is an alternative to the password, and your password is usually available as a way to sign in to the site where you created the passkey. Some services will allow you to remove passwords after creating multiple passes—for example, you can do so with your Microsoft account—but those options are still rare.
Why is passkey more secure than password?
When you use a password, here’s what happens: You visit a website, enter your username and password, and click a button. If everything goes well, you are signed in. But there are many things that can go wrong.
For starters, passwords can be phished. If a bad guy can create a website that looks like your bank’s sign-in page, you can be fooled into entering your password there, at which point the bad guy can sign in as you and steal funds from your bank account.
Passwords can be guessed, either by brute force attacks that try every possible combination of letters, numbers, and symbols, or by an attacker who figures out your easily guessed password. Just Ask Donald Trump Who Has the Password to His Twitter Account it wasn’t hard to guess , you’re fired in 2014 and MAGA2020! After six years.
Also: How I changed my Microsoft account password with Passkey
Passwords can also be stolen. A keylogger or remote access trojan could send your password to an attacker, or they could use the extremely low-tech alternative of “shoulder surfing” – typing your username and password as you type, perhaps with the help of a video camera.
Even if your OpSec is perfect, your password can still be hijacked if the website does a poor job of storing and securing it.
Finally, you may (unwisely) reuse that username and password combination on other sites, and you’ll be vulnerable if that site’s password is ever leaked or phished.
Passkeys are immune to those attacks. A skilled phisher can fool you into thinking that a fake website is real, but he will never get access to the passkey, because the domain and the associated encryption key do not match. And it can’t be stolen, because it never leaves its secure storage on your device.
The only way to unlock it is if you identify yourself with biometrics or a PIN after your authenticator receives a valid request from a remote server.
Do I need to worry about making passkeys unique?
For years, you’ve been reading advice columns telling you how important it is to have a unique password for every site. So, do you need to take the same level of caution and create a unique passkey for each site that allows them?
Ha! This is almost a tricky question. Passkeys are unique by definition. Each passkey is made up of two different encryption keys that are created for use only by the site or service where it was created.
However, you can have multiple passkeys for the same site. If they’re device-bound, you might have one for your laptop and one for your phone. Or you may have one or more hardware keys like the YubiKey. As I mentioned earlier, the most convenient option is to create a syncable passkey in your password manager.
