Digital passwords have existed since the 1960s, and we haven’t come up with a better option...until now. An tech industry-wide group called the FIDO Alliance aims to get rid of them, and for good reason: Passwords are easy to hack, and difficult to remember. The smarter method, they argue, is to scrap troublesome passwords altogether and use cryptographic keys for authentication instead. These tools are popularly known as passkeys, and they are already starting to take off.
Google and Apple have added passkeys into various products and services, and other big companies like Microsoft are not far behind. Of course, a big change like this brings its own set of questions: How easy is it going to be to switch from passwords to passkeys? Are passkeys really that much safer? What happens if I lose my passkey?
How passkeys work in theory
Passkeys are built on public web authentication standards. Instead of creating a password, you create a cryptographically generated passkey that’s stored on your device. This key is unique, private, and strong. A public counterpart of this authentication is also stored on the server you’re trying to log into, and is only used to facilitate the login process. Even if the server component is leaked, nothing is truly lost, since you can’t log in using your passkey unless you also have your device.
Because each passkey is linked to the particular account, there’s no risk of phishing, as you can’t be forced to use your Google Account passkey with a scam website that looks like a Google login page.
You can create generate a passkey for all your devices individually. Here, using something like iCloud Keychain is helpful, because you can create one passkey and use it across all your Apple devices. Google also supports this feature for Google Accounts.
Passkeys also support a feature called cross-device authentication, which allows you to authenticate using a passkey stored on your iPhone or Android smartphone. A login form will show a QR code. Scan it and authenticate using your smartphone, and you’re in! If you’re concerned about the security of using a simple QR code, don’t be: This feature only works if the smartphone is near enough to the unauthenticated device to connect over Bluetooth. And once the QR code is scanned, it becomes invalid.
Setting up a passkey through Google and Apple
Let’s take a look at two different approaches to setting up a passkey, starting with Google. Google lets you create a passkey for logging into your Google Account, which offers great protection for your entire Google world. As long as you meet the right requirements, you can use your personal device to log into your Google Account using a passkey.
To start, go to Google’s Passkeys setup page. Log in, then choose Create a passkey. Click Continue on the popup to create a passkey for the device you’re using (say, your iPhone). Now, choose your account, then hit Continue.
Now, you can use your device password, Face ID, or PIN to authenticate yourself, and click Done to end the process. While you can create passkeys for as many devices as you want to log into Google with, you’ll find it’s particularly useful with Apple, since you’ll be able to sign in with that passkey on any Apple device using your Apple ID.
Speaking of Apple, they have a different passkey approach. You still need a traditional password to log into your Apple ID, but you can still set up passkeys to log into your various accounts, when supported. You’ll need an Apple device running iOS 16 or macOS Ventura or newer, and to be using iCloud Keychain.
When you create a new account that supports passkeys, or you access the account management settings of an account that supports passkeys, you’ll see the option to create a passkey. When you choose it, you can tap “Continue” to save the passkey (iPhone), or choose your authentication process on Mac (Touch ID, QR code, or external security key). This passkey will save to your iCloud Keychain, so you’ll be able to use it across all your Apple ID devices, not just the device you made it on.
How a passkey works in practice
Once you have created a passkey on your device, you only need authenticate your login using Face ID, Touch ID, or your device password or PIN. If you’re using Apple products, a single passkey will work for all your devices, and will support autofill as well—though you’ll be limited to using the Safari browser. If you’re using Chrome, you’ll need to create a new passkey from your Google Account. Currently, Firefox doesn’t support passkeys.
By way of example, here’s how the process works in Google. When you go to the login page, you’ll be asked to use passkeys instead of other methods. Click the Continue button.
Screenshot: Khamosh Pathak
Now, the OS level prompt for authentication will show up. For me, that’s logging into my MacBook Air on Safari via a Touch ID authentication. Once you authenticate, you’ll be logged in.
Screenshot: Khamosh Pathak
That’s it—a two-step process that’s secure and easy to use. You don’t need to remember a password, or wait for a one-time password or code over SMS, or even an authenticator app.
Passkeys aren’t just easier to use, they’re more secure
Passkeys are easier to use than passwords, especially when you consider the security issues of SMS 2FA, and the hassle of using a one-time authentication app. But the promise of passkeys goes beyond just ease of use—because they are made cryptographically, they are secure and encrypted by default, and will prevent phishing and other types of scams.
The only major downside of passkeys are their dependence on your device, and on keys generated by companies themselves. Device authentication is not an issue if you’re using Face ID and services like iCloud Keychain.
That said, you don’t have to trust big companies to generate your passkeys. Password managers like 1Password are evolving to help you manage all your passkeys in a secure, third-party account. And you’re always free to carry your passkeys around in a secure digital key that you own and manage yourself.
The clear advantage of using a service like 1Password or even iCloud Keychain is that passkeys are stored in end-t0-end encrypted vaults. As long as the account itself is secure, there is no risk of your data being compromised in a leak.