Passwords are a special kind of hell. Remembering and managing dozens, if not hundreds, of gibberish phrases just so we can go about our daily lives and even then, they can still fail us and be hacked? It's not a surprise that most people can't be bothered with the rigmarole of unique passwords, password managers and so on to secure their internet accounts.
But what choice do we have? If you have a single crappy password that you use all over the internet, it's only a matter of time when some hacker clown uses it in a credential stuffing or brute force attack. Which can result in you losing money, taking a hit to your reputation, and an overall bad time. That is not your fault whatsoever, it sucks!
The wider technology industry noticed their customers were stuck in this dilemma and came up with something called “passkeys” as a replacement for a traditional password. While passkeys can be a solution to the password mess that modern technology has inflicted upon us, they can also introduce new and special ways to create headaches that our predecessors could never have imagined even in their wildest dreams.
So let’s learn the basics about passkeys and you can decide for yourself if you want to keep going with tried and true passwords or take the leap with passkeys when the opportunity arises.
What is a passkey?
Instead of using lousy passwords designed for humans to remember and type in, passkeys use super long and complicated passwords called "cryptographic key pairs" that only computers can read. They work on the premise of combining two segments of these long passwords using only bits of information known to each person – i.e: you and the service you're trying to log into. So not only does a hacker need to steal your bit of the password, they also have to steal the other side's bit of the password, which is a pretty tough task, even for the most devilish of computer nerds.
Passkeys are created for you when you either create an account or convert an account from a password to a passkey. They are always unique and are stored directly on your device, web browser or in a password manager. They're actually very similar to physical security tokens (we have a nice blog post about them!) but without the physical bit, as they live on your device rather than being little chunks of plastic you carry around.
When you visit a website or open an app, instead of being welcomed with a login prompt, your device says to the service, "oh, I have a passkey for this, here you go", and pops up a prompt asking if you'd like to use this passkey. It will then ask you to approve its use by typing in your device's PIN or some form of biometrics like Touch ID/Face ID on Apple devices, a Windows Hello eye/face scan on a PC, or an eye/face scan on Android.
Once the service accepts your passkey, you're logged in just like if you used a password and two factor authentication.
What's great about passkeys?
Phishing is a scourge on society and is the main reason passkeys were cooked up. Phishing is when someone tries to trick you into providing access to your account. We have a must-read article about phishing right here on the Tryst blog.
With passkeys there's no two factor authentication code that you can be scammed into handing over and there's no password you can be tricked into typing in on a fake website. For this reason alone, most people would benefit from migrating their online accounts to passkeys if the service prompts them to. It vastly reduces what cybersecurity experts call “the attack surface” for the most common types of scams and hacks that lead to an account takeover.
Passkeys also replace two factor authentication – you know, those annoying codes you type when logging into stuff. That second factor is now the PIN or biometrics of your device. If you already use a password manager like 1Password or Bitwarden, you don't even need to change your workflow as passkeys can be stored in your secure vaults and accessed on any device you like.
What sucks about passkeys?
Passkeys are contained to the specific device or web browser, which is fine if you only ever use Apple devices or don't mess with anything except Chrome and Android. If you use a mix of different computing devices, platforms or web browsers (iOS and Windows, Firefox and Android, etc), syncing your passkeys between them all requires a 3rd party password manager like 1Password or Bitwarden.
As of early 2024, the Chrome web browser on Windows can't sync passkeys at all and iCloud will only sync passkeys to non-Apple devices via a Chrome or Edge browser extension – too bad if you need to log into something that's not in the Chrome or Edge web browsers!
If you don't use a 3rd party password manager, don't use iCloud, or don't sync your Google account to your Android phone, then then you run the risk of losing access to your account as the only place the passkey is stored is on that device. Lose the device and you lose access to the account.
The world of passkeys is full of little caveats like the above examples that can catch you out if you're not working in a single device ecosystem and enabling cloud sync on everything. Cloud sync of data is something many people take for granted, but sex workers and other vulnerable groups who are more vigilant about where their data goes often have it disabled.
Passkeys are pretty new and plenty of apps and websites do not support them, so you still have to maintain unique passwords, a password manager and some form of two factor authentication for the sites that don't support them. Even some apps and sites that support passkeys only offer it as an alternative form of authentication, so you still have a password you need to manage. As of 2024 you can't go purely passkey for everything.
Where can I use passkeys?
Google and Apple are really keen to get you using a passkey. They have instructions on how to get started:
- https://support.apple.com/en-au/guide/iphone/iphf538ea8d0/ios
- https://www.google.com/account/about/passkeys/
Popular password managers like 1Password and Bitwarden also have documentation on how to use passkeys:
More and more websites are using passkeys now and 1Password has a nifty list of popular services that have adopted passkeys along with a link to more info on how to use passkeys with them:
Your brain has more important things to do than remember passwords and for a lot of people, using a password manager is still a tough sell. The beauty of passkeys is that Apple and Google have baked them right into your devices and provide the security of unique, strong passwords and two factor authentication without having to set up and manage all that stuff.
While the downsides of passkeys seem a little scary, for most people they are far better than a password alone and simpler to keep secure than a password and two factor authentication. Just be aware of the edge cases when using passkeys outside an all-Apple or all-Google ecosystem, or use a good password manager to handle the passkeys for you, and enjoy the peace of mind they bring without having to remember a password.
Got a tech question for Ada? She wants to hear from you!
Ada answers all your questions about tech, the online world, and staying safe in it. No question is too silly, no hypothetical is too far-fetched! Learn to leverage devices, systems, and platforms to your benefit.
