Use Passkeys

• Passkeys make logging into accounts faster, easier, and safer.
• They can replace both passwords and two-factor authentication in day-to-day use.
• Behind the scenes, a passkey uses a pair of mathematically linked numbers – one kept on your device and the other by the website – making it extremely resistant to hacking.
• Lost passkeys can be replaced by verifying your identity, for example via a text message, recovery code or another device.

The case for passkeys

In the last two chapters you learned the importance of protecting your online accounts with strong, unique passwords. You also learned that this is easier said than done, and that password managers can help. Next, you learned that by combining passwords with two-factor authentication, the security of an account is greatly improved.

But passwords are still a liability both for website operators and customers, and two-factor authentication can be a hassle. So, for several years, computer scientists have been working on an alternative that’s easier and safer. The result is passkeys.

The technology underlying passkeys is an open standard managed by a non-profit organisation, which ensures that passkeys are widely compatible with apps and devices from different manufacturers, including Apple, Google and Microsoft.

Matching pairs

A passkey is a unique association between you and a website. It’s not something you have to come up with yourself; but it’s not just a long, random password either.

In fact, there are really two keys involved: one kept secret by your device, and one stored by the website. They keys are mathematically linked in such a way that your device can prove its identity to the site without actually sending the secret key.

Security benefits

Not only are passkeys something you don’t have to remember, they’re also considered secure enough to skip two-factor authentication. The extent to which different sites allow you to sign in solely with a passkey remains to be seen, but in theory, passkeys make signing into websites quicker and easier than ever.

Another benefit is that you can’t be tricked into typing a passkey into a phishing website (for more on phishing, see Recognise Social Engineering). You wouldn’t know what to type, because you never actually see your secret keys. And unlike a human, a browser can’t be tricked by a subtly misspelt address or a convincing spoof of a popular site: it will only automatically offer a passkey to the site to which it belongs.

Creating passkeys

Some websites will prompt you to set up a passkey when you sign in. Otherwise, you can go to the page for managing your account; typically the link is in the top-right corner. If the website supports passkeys, you’ll find the option to create one under a heading like ‘security’ or ‘sign-in options’.

Behind the scenes, creating the key pair is usually the job of the operating system: Windows, macOS, Android, iOS or another.

Using passkeys

Your computer, tablet or phone stores passkeys securely, but you don’t need to remember a new code or master password to actually log into websites with them: you just use the same fingerprint, face recognition, PIN or password you use to unlock the device. Your browser selects the passkey that matches the website you’re using, and performs the necessary ‘handshake’ to log you in.

Note that your biometric information, PIN or device password isn’t shared with the website. In fact, it never leaves your device. Rather, these means of authentication are simply how you consent to using the passkey.

Syncing passkeys

The major industry players – and others, including companies making password managers – have created ways to sync passkeys between your devices via their respective cloud services (for more on password managers, see Use Strong, Unique Passwords).

In doing so they have carefully considered the safety of the stored keys, which would be a goldmine to hackers. They’re encrypted using a PIN or equivalent – chosen by and known only to each customer – so that the company itself can’t read them. This means that even if the whole company is breached, or compelled to give access to a law enforcement agency, everyone’s passkeys will still be safe.

Lost passkeys

While passkeys are convenient for day-to-day use, they don’t supplant the older authentication options you’ve previously set up. If for any reason you lose your passkeys, you can still log into the site using your password and two-factor authentication.

It’s likely that in future, more accounts will go passwordless — but they still won’t rely on passkeys exclusively. You’ll still register a phone number, authenticator app or hardware token – or print a recovery code – in case you lose your passkeys.