What the hell are passkeys and why are they suddenly everywhere?

Passkeys promise a future without passwords, where we access our accounts as easily as we unlock our phones, with a much higher level of security. Pick your big tech poison, like Apple, Google or Microsoft, and you’ve probably seen it announce a passkey takeover. While a full-on passkey revolution may be a bit away, you may be asked to set one up for your accounts soon.

The username and password approach to logins dates back to the 1960s. Ever since then, it's been hackable. Passwords are guessable or phishable, especially if you fail to meet industry standards for a complex, strong password. For a while, the solution seemed to be multi-factor authentication, or a way to verify your identity at login via text message, app, hardware key or other methods. But passkey proponents are saying that solving login security problems means reinventing the first step, not adding on additional processes.

“It's the closest to something that can be scaled to get rid of passwords that we've ever seen,” said Megan Shamas, senior director of marketing at industry association FIDO Alliance. A passkey is a digital authentication credential that is securely stored on your device. Instead of what Shamas called a “shared secret” method of passwords, passkeys are a unique key pair for every online service you use bound to the domain. So, if you create one for your online banking account, and a spoofed website prompts you to sign in, the passkey won’t work.

It also prevents phishing attacks because you can’t give away your passkey like you can with a password or MFA phrase. We can’t call it “unphishable,” said Derek Hanson, vice president of solutions architecture and alliances at security authentication company Yubico, but it certainly thwarts the common attack vectors used today. At the very least, it makes it much more costly and difficult for a hacker to get in, making the hackers likely to move on to weaker targets.

For the user, they’re meant to be easier, too. Instead of trying to keep track of nearly 100 passwords or more, the passkey is stored on your device and connects automatically to the service. Similar to unlocking your phone, you’ll need to enter a pin, fingerprint, face scan or other simple authentication to log in. It seems too good to be true, and it sort of is, because it's still a fragmented space. While the big names have made passkeys trend recently, they could also be holding back widespread use.

Currently, using a passkey locks you into a certain service provider, according to Sayonnha Mandal, Ph.D., lecturer at University of Nebraska Omaha. You can’t, for example, log in to websites on an Android phone with a passkey stored on a MacBook. It’s the kind of lock-in these companies tend to favor because it keeps customers loyal to their brand. So, it’ll take cooperation and “in the absence of a government industrial standard that everybody mandatorily has to adhere to, I don't think by themselves, the companies would.”

But Shamas says that cross-platform accessibility is coming, as companies sign on to FIDO’s industry standards for passkey development. “The deep investment across the industry (including Apple, Google, and Microsoft) to develop and evangelize the passkey technology speaks to the broad belief in its promise,” said a Google spokesperson. At the time of publication, Google Chrome on Mac and Windows only stores passkeys on the local device.

For now, if a website offers you a passkey login option, you should probably sign up. At least for your most sensitive accounts like online banking, make the switch to passkeys as soon as it's offered for an added layer of protection on those accounts, Mandal said. But, if passkeys do take over, it will be a slow transition. Services will likely still offer password options because it’s what consumers are used to, and passkeys still don’t have wide enough support.

In the meantime, it’s a good reminder to stay on top of your security settings. If passkeys aren’t available, make sure MFA is set up and your password is strong instead of just avoiding the security reminder pop-ups at log in.