Unlock Exclusive Benefits

Join our community and gain access to premium content, early updates, member-only posts, and more. Elevate your experience with our subscription offer today!

Subscribe AFP.one cover image AFP.one cover image
Asa profile image Asa

How Passkeys Work: The Tech Behind the Passwordless Future

Passkeys offer a passwordless future powered by public key cryptography. This emerging authentication method uses your biometrics and devices to log in, enhancing both security and convenience. Learn how passkeys work and why they beat passwords.

How Passkeys Work: The Tech Behind the Passwordless Future

Passwords have become an integral part of our digital lives. We use them to access everything - email, banking, social media, and more. Yet juggling an ever-growing list of complex passwords is a frustrating burden.

Even worse, passwords remain highly vulnerable to attackers, with over 24 billion login credentials exposed in data breaches during 2022 alone according to Digital Shadows. Also, according to the cyber security statistics by PurpleSec, the cost of cybercrime is estimated to reach $10.5 trillion annually by 2025.

Authentication methods timeline
Authentication methods timeline | Source: WorkOS

Could there finally be a convenient and truly secure alternative to passwords on the horizon? Enter passkeys. 🛡️

What Are Passkeys?

Passkeys are a new form of credential that enable passwordless authentication using public-key cryptography. They allow you to log into websites and apps by unlocking your device using your face, fingerprint, PIN, or other biometric.

Passkeys aim to offer both enhanced security and better convenience compared to passwords:

  • More secure - Resistant to phishing, guessing, and data breaches
  • Easier to use - No complex passwords to remember
  • Faster login - Single tap vs. typing credentials
  • Cross-platform - Works across devices and operating systems

How Do Passkeys Work?

Passkeys use asymmetric cryptography where two mathematically-linked keys are generated during setup:

  • Public key - Stored on the server side
  • Private key - Stored only on the user's device

To authenticate, the service verifies that the passkey signature from your device matches the public key on file. Your private key remains securely on your device. No secrets are shared or stored externally.

The Path to a Passwordless Future

Leading technology companies like Google, Microsoft, and Apple are already pushing passkey adoption across their platforms. And websites like PayPal, Amazon, and Reddit are starting to support passkey login.

While universal adoption will take time, the stage is set for passkeys to ultimately replace password authentication. That passwordless future offers exciting potential to fix the password problem once and for all.

Passkeys harbor great promise to overcome the security pitfalls and fatigue plaguing password-based authentication. Read on to learn more about this emerging passwordless solution.

Why Passwords Must Evolve

Like most people, I have password fatigue. Between work logins, email, social media, apps, and endless online accounts, I need to remember tons of complex passwords. Even using a password manager, I still face frustration from endless credential upkeep.

Just when I've set up the latest randomly-generated 25-character password, my manager prompts me to change it again or risk an account takeover. So annoying! 😤

Password managers help recall logins, but don't fully address core vulnerabilities...

And even after racking my brain to create a new "secure password" for my latest online subscription, I still needed to add numbers, special characters, capital letters, use a passphrase...the list goes on.

Why are we still using this ancient authentication method?

Well...because the majority of online services still rely on passwords. And moving the entire internet to a new login standard is no small feat.

There’s no denying passwords remain the dominant online login credential. We can’t discount passwords completely. After all, they got us to where we are today in enabling access across networks.

But increased reliance on digital systems exposes glaring password weaknesses leaving accounts breachable. The threats resulting from compromised credentials evolve faster than antiquated password protocols can contain.

But that transition may be closer than ever with the emergence of passkeys. Keep reading to understand why passwords must be replaced and the game-changing security and convenience benefits passkeys offer.

Passwords Still Needed, For Now

Legacy passwords don’t lack advantages altogether. At minimum, they:

  • Allow login portability across devices/networks with just a memorized/saved string
  • Enable access revocation instantly via change requests
  • Represent global standard everyone understands
  • Integrate with old systems and complex enterprise infrastructure

Large technology shifts don’t happen overnight. So passwords will stick around in some form as new standards emerge.

But password dominance risks lulling us into complacency that our digital assets stay secured. In reality...

Passwords Pose Serious Security Risks

Passwords might seem familiar and comfortable, but they open major security holes that allow attackers access to our most sensitive digital assets and information.

Easy Targets for Attackers

The common security flaws that make passwords prone to hacking, cracking, theft and misuse include:

  • Guessable - Pet names, common strings like "123456", repeated characters are easy to crack with brute force
  • Reused - People use the same passwords on multiple accounts
  • Phishable - Easily tricked into giving up passwords by "official" looking requests
  • Memorable - Forgetting complex passwords leads to unsafe password habits
  • Shareable - Can be leaked, stolen, accidentally exposed

According to a 2021 report by LastPass, over 80% of confirmed data breaches are linked to compromised, weak, or reused passwords

With so many ways for passwords to compromised, it's no wonder large-scale data breaches extracting millions or even billions of login credentials have become commonplace.

And once your password is out there along with your username or email address, consider all accounts using that password at risk.

Stats on password problems
Stats on password problems | Source: Nomios

Hackers Love Passwords

The weaknesses inherent in password-based authentication makes attackers' jobs easier. They don't need to outsmart complex technology security measures. Humans are the weakest link.

Tapping into our forgetfulness, fear, laziness or naivety allows them to gain account access, often with a simple phishing email or fraudulent phone call.

Once in, the damage caused can range from stolen payment card data all the way to full identity theft.

Password Fatigue Sets In

Juggling passwords for the dozens (or hundreds) of accounts people need access to drives most of us crazy.

Ever find yourself repeatedly resetting a password because what you thought it was doesn't work? Or having to verify your identity to confirm an account is really yours?

Remembering is Hard

The loved ones special dates we can recall perfectly - somehow remembering those random 16 character passwords with letters, numbers and symbols intermixed doesn't come so naturally!

To cope, we:

  • Reset frequently - Annoying and time wasting
  • Reuse dangerously - Great for hackers!
  • Write down insecurely - "My Passwords" notebook on bedside table, anyone?
  • Give up control - Using the same password everywhere out of necessity

No great choices. Just password fatigue for the loss.

Password Managers - Better But Not Ironclad

In the 2022 LastPass security breach, hackers gained access to parts of the company's development environment through a compromised developer account, which led to the theft of source code and proprietary technical information.

While LastPass has not confirmed any unpatched vulnerabilities, experts have reported that some of the stolen password vaults may have been cracked, with collectively over $35 million in crypto reportedly stolen so far.

While definitely more convenient and able to reduce the memory burden, password managers fail to resolve core security shortcomings:

  • Single point of failure - Crack the master password, expose all credentials
  • Cloud backups create central target for mass theft
  • Phishable master passwords negate security value
  • Password reuse still lurks as threat vector
  • Creating complex unique passwords is still tedious
  • Account lockouts, resets and breached password alerts still commonplace

And crucially - password reuse, server breaches, human error or social engineering can still expose accounts.

So managers improve convenience but fall short boosting security. There's a better way... one not reliant on opaque shared secrets like passwords in the first place.

Adding a password vault improves convenience but leaves much to be desired securing accounts in the hyperconnected world we inhabit.

It's Time to Move Beyond Passwords

Maybe it's unfair to fully blame users 🙅. The concept of passwords for identity verification dates back hundreds of years. We're stuck relying on an antiquated authentication method in a new digital-first world.

Something more secure, convenient and suited for 2023 internet use cases is overdue.

That's where passkeys come in...but more on why this emerging passwordless approach truly bests passwords later on.

For now, remember these key inconvenient truths around traditional password usage:

  • Susceptible to guessing and cracking
  • Reuse leads to account breaches spreading
  • Billions of stolen credentials floating around
  • Phishing targets users as the weak link
  • Managing so many complex passwords hurts

The password problems won't be fixed with rules for longer, more complex strings or third-party managers. The password system itself needs replaced by stronger technology tailored to today's digital security landscape.

Understanding Passkeys

By now, I hope I’ve convinced you that the password’s time is up 😅. Passwords are no longer sufficient to protect our digital assets and online identities.

Luckily, a promising password alternative has emerged to take their place - passkeys 😎.

Passkeys introduce a new approach to login authentication and account security powered by advanced public key cryptography. Once adopted at scale, passkeys have the potential to eliminate many of passwords' security pitfalls and relieve the headache of password overload.

Let's walk through the key questions to develop an understanding of what passkeys are, how they work and what benefits they offer compared to traditional passwords.

What Exactly Are Passkeys?

In simple terms, passkeys are digital keys that allow you to securely login to online accounts without needing to enter passwords. Instead, you authenticate with passkeys using biometrics like face recognition or your fingerprint.

How do FIDO passkeys work?
How do FIDO passkeys work? | Source: FIDO Allicance & Ping Identity

Passkeys build upon the groundbreaking FIDO (Fast Identity Online) Alliance's WebAuthn protocol. WebAuthn enables creation of unphishable and passwordless login credentials via public key cryptography and device-based authenticators.

With WebAuthn serving as the underlying login standard, passkeys can be securely stored on common devices like:

  • Laptops
  • Smartphones
  • Tablets
  • External hardware keys

Accessing passkey-protected accounts simply requires possessing your enrolled device to complete authentication using your fingerprint, face scan, PIN or other method.

No passwords to struggle remembering 🥂!

How Do Passkeys Work?

The magic behind passkeys lies in public key cryptography, where two mathematically linked encryption keys are created during passkey enrollment.

These keys include:

  • Public key - Stored server-side and binds the passkey to your account
  • Private key - Stored locally on your device; used to authenticate
Passkey registration
Passkey registration | Source: web.dev

When logging in, your device's passkey manager signs data with your private key without exposing it. The server verifies this signature against your public key on file to authenticate access.

So your unique digital passkey confirms your identity without revealing secret credentials externally. Powerful stuff!

Other key aspects like how passkey signatures are checked on each login, backup and recovery handling, plus evolving browser/platform support are also worth diving deeper on.

But let's first talk benefits...

Why Passkeys Beat Passwords

At a high level, passkeys introduce major security, convenience and user experience upgrades over password authentication:

  • More secure - Resilient against data breaches, cracking, phishing
  • More convenient - Nothing to memorize or store long-term
  • Faster logins - Single biometrics scan vs. typing passwords
  • Cross-platform - Works across Android, iOS, Windows, macOS, Linux
  • Auto-syncing - Passkeys transfer seamlessly to new devices

And remember, you still authenticate each passkey access attempt with a biometric or PIN on your enrolled device. No secrets travel externally to decrypt.

Passkeys shift away from security depending on opaque secrets (passwords) to requiring physical possession of registered devices. This achieves true multi-factor authentication with a simpler, faster user experience.

Intrigued yet? Read on...

When Will Passkeys Replace Passwords?

Now that major platforms from Apple to Microsoft support passkeys, consumer and business adoption is gaining steam.

Leading websites like PayPal, eBay, Reddit, Dashlane already offer passkey login too. Widespread compatibility will continue expanding.

While universal transition from legacy passwords won't happen overnight, the stage is set for passkeys to dominate as the new authentication standard in coming years.

How Passkeys Enhance Security

By now hopefully I’ve convinced you of passwords’ pressing security gaps in the digital era. While still essential in the short term, legacy password protocols fail to offer sufficient identity protection and access control given growing cyberthreat sophistication.

Enter passkeys - a fan favorite new authentication approach set to level up security by eliminating the most common password vulnerabilities!

Let’s explore specifically how adopting passkeys hardens the login layer to fortify your online presence across devices and accounts against various breach vectors.

Built Around You - Not Static Secrets

Passkeys flip the legacy password paradigm on its head with user-centric protocols. They provide encryption keys securing access tied intrinsically to your identity and registered devices - not static alphanumeric strings.

This allows authenticating sites to cryptographically confirm “Yes, this login attempt comes from the expected human’s actual hardware” without directly exposing vulnerability-prone secrets.

How passkeys synchronization  works
How passkeys synchronization works | Source: Thales

By properly registering devices to your account with unique passkeys, you bypass transmitting any stealable credentials whatsoever to/from servers. The secrets enabling access control stay protected locally on your hardware.

Security Upgrades Add Up

Summarizing at a high-level, embracing passkeys fortifies login integrity in these key ways:

  • No passwords/secrets stored server-side for thieves to steal
  • Encrypted passkey data useless if databases compromised
  • Locally stored private keys never leave your devices
  • Phishing resistant with cryptographic login confirmation
  • Faster revocation if devices are lost; no secrets to change
  • Breached passwords on other sites have no impact

Basically all the gaping holes that allow identity theft and account takeover with passwords get closed off. I love multi-layered security!

Hardware Roots Trust Deep

Another great aspect of passkeys involves binding your digital identity directly to physical authenticator devices you own and control.

These registered hardware signers of passkey login attempts include:

  • Smartphones
  • Tablets
  • Laptops
  • External security keys

Rather than relying on figurative “ownership” of secret knowledge (passwords) granting access, enrollable devices you physically hold provide keys to your digital kingdom with passkeys.

No devices = no dice for potential imposters!

Forward-Thinking Protections

By shifting authentication factors toward “What trusted devices prove your identity?” and away from “What opaque secrets do you know?”, passkeys open exciting potential.

Expect even stronger cryptographic assurances of legitimate remote access attempts as hardware security capabilities advance. In many ways, passkeys future-proof identity protection based on data-backed confirmation that “You are who you say you are” during each login.

Promising prospects in the ever-evolving world of cybersecurity!

Passkeys Unlock Convenience

We’ve covered the gaping security advantages passkeys introduce. But equally as important, they also majorly upgrade the user experience and convenience of accessing accounts.

While robust identity protection ranks first priority, let’s be honest - barely usable security solutions don’t last regardless of their cryptographic brilliance.

Thankfully passkeys strike an amazing balance between hardened defenses AND relieved login friction. Let's dig in on convenience upsides!

Faster Access

One massive convenience gain involves cutting login time to a fraction of password entry. Authenticating via passkeys takes seconds rather than the 15+ seconds fiddling with a password manager to copy-paste unique credentials might involve.

Cross-platform and auto-sync illustrations
Cross-platform and auto-sync illustrations | Source: Stytch

Benefits like:

  • Tap to unlock biometrics
  • No typing lengthy random strings
  • Zero remembering any secrets

All combine to slash the login process to a single authentication scan. Hello speedy convenience~

And aggregated across the dozens of account sign-ins people perform daily, those extra 10+ seconds per login saved truly add up. More time for what matters!

Anywhere Availability

Unlike password managers locked to specific devices, passkeys sync securely across your personal hardware ecosystem.

That means seamless tap-to-login convenience whether on:

  • Smartphone
  • Tablet
  • Laptop
  • Desktop

No more emailing credentials around or copying complex memorized secrets to access accounts when shifting devices. Passkeys travel with you automatically once registered to accounts.

Hassle-Free Maintenance

Another understated convenience angle with passkeys involves basically setting them and forgetting them once enrolled.

Unlike passwords constantly demanding resets and updates, passkey lifecycles stay smooth without forced maintenance interrupting account access.

Forget about:

  • Annoying expired password alerts
  • Account lockouts after pasting incorrect saved credentials
  • Frantically recovering lost password manager master keys

Passkeys start stronger than even the most complex passwords, yet avoid ongoing upkeep headaches. Sounds good to me~

Better Security and UX? Believe It!

Historically, improving security meant accepting usability tradeoffs for users with steps like multi-factor requirements.

Passkeys uniquely offer enhanced protections AND relieve login friction better than passwords can achieve. That consumer-friendly security/convenience combo will accelerate mainstream passkey adoption once understood and experienced!

At this point, I hope you’re as excited as me about the game-changing security and convenience benefits passkeys introduce for identity and access management!

But even the most advanced authentication technology remains meaningless until widely built into the apps and sites people actually use daily. So what stands in the way of passkeys eliminating passwords?

Let’s address the main speedbumps on the road to a truly passwordless future.

User Education Represents a Hurdle

Passkeys involve a new concept most people don’t grasp immediately. Explaining public key cryptography may seem challenging to those unfamiliar with the topic, but with some effort, anyone can grasp the concepts.

And when password use stays deeply ingrained after decades of predominance, why switch?

These education and inertia challenges slow frictionless passkey onboarding. Most users need awareness help understanding:

  • Why passwords now fall short
  • How passkeys achieve multiple security and convenience upgrades
  • Steps for easily configuring passkeys across their devices

Developing digestible explainers and intuitive setup flows remains crucial to driving mass adoption.

Passkey adoption has accelerated from 2022 to 2023
Passkey adoption has accelerated from 2022 to 2023 | Source: Corbado

Compatibility Coverage Still Expanding

The user experience also suffers if people configure passkeys but sites/apps visited don’t support login. It breeds frustration retaining old passwords only for specific accounts.

While browser and platform compatibility looks solid, the website/app integration must continue evolving.

Until passkey creator teams engage partners far and wide to match easy enrollment with universal usage opportunities, rounded convenience stalls.

But the outlook seems bright with major sites onboarding!

Backup and Recovery Requires Refinement

Finally, even huge fans notice the passkey restore process requires too much hunting when testing backup after losing a device. Recovery needs even more seamless flows as passkeys overtake entire identity infrastructures.

Image losing access to dozens of accounts at once... then needing multi-step verification just to restore passkey accessibility. 😔

So while intrinsically resilient against individual account breaches, system-wide passkey disruption scenarios reveal gaps to shore up.

I believe early adopters will pave the way by working through any initial hiccups as passwordless guardrails continue maturing on all fronts.

The Future Looks Passwordless!

We’ve covered a lot of ground explaining the impending passkey revolution. By now, I hope you share my excitement about their future potential to supersede password-centric login risks!

Let’s shift our gaze beyond adoption hurdles (which will certainly smooth given time) to the passwordless wonderland that awaits as passkeys prevail across websites, apps and networks.

Early But Clear Traction

Leading platforms like Apple, Google, and Microsoft already embedding passkey support across their ecosystems demonstrates meaningful momentum.

Several major apps and sites also recently began offering passkey authentication, including:

  • PayPal
  • Reddit
  • eBay
  • Dashlane
  • Best Buy
FIDO Alliance
FIDO Alliance | Source: Security Design

With such influential industry players on board already, expanded compatibility that encourages widespread passkey configurations inevitable.

Enhanced Security Blankets Us

As passkey usage grows, we’ll rest easy under strengthened identity protections on all fronts:

  • No more leaked password databases tempting fraudsters
  • Reduced phishing effectiveness shielding accounts
  • Revoked access instantly when devices are lost
  • Minimized repercussions of breached accounts
  • Higher security baseline ENABLED better UX

These cumulative benefits square previous tradeoffs between security and convenience - a win/win!

Frictionless Access For All

A passwordless future also brings usage gains through universal passkey availability. Apps and sites accessed will simply WORK for enrolled users.

Expect tap sign-ins authorized seamlessly by:

  • Fingerprint
  • Face recognition
  • External hardware keys
  • Device PIN codes

True multi-factor security with LESS steps.

Passkeys is Promising but with Limitations

While Passkeys show promise to someday replace passwords, there are some immediate limitations to their widespread adoption:

Lower Security Level

Compared to previous FIDO2 implementations that required hardware-based authentication for maximum security, Passkeys introduce syncing across devices which lowers the overall security assurance level. There is currently no option for relying parties or users to disable Passkeys and revert to more secure device-bound credentials. Additional protocols would need to be adopted to restore higher levels of hardware-based security.

Lack of Cross-Platform Ecosystem Syncing

Passkeys rely on client-side synchronization of cryptographic keys to users' various devices. However, the current synchronization approaches lead to a fragmented and confusing experience for users:

On Apple MacOS devices, Passkeys created in one browser (e.g. Chrome) are isolated and not visible to other browsers (e.g. Safari), due to platform authenticator limitations. Apple can only synchronize Passkeys created in Safari across iCloud Keychain. Users may wrongly assume Passkeys they create in Chrome on a Mac will sync to their iPhone or iPad. When keys unexpectedly fail to sync across browsers, it damages user trust and causes login issues.

For Windows users, the experience is even more fragmented. Since Microsoft does not own a mobile platform, Passkeys registered on a Windows desktop are completely isolated from keys created later on iOS or Android mobile devices. Users constantly have to track which keys are stored on which platforms and remember that. Logging in via QR code scanning can help use mobile Passkey stores, but the multiple steps required create friction.

In general, the lack of automatic cross-platform sync causes endless confusion when users switch between or own multiple brands of devices. Neither Microsoft's nor Google's browser-based synchronization stretch across competing operating systems like Apple and Android.

Passkeys sync across ecosystems
Passkeys sync across ecosystems | Source: Huan Liu's Blog

Business travelers jumping between work and personal laptops and phones will suffer authentication failures from the fragmented key stores. Even sticking just within Apple's ecosystem poses headaches when upgrading from MacOS to Windows down the road, since cloud ecosystems don't interoperate.

Solving the sync fragmentation requires coordinated work across multiple vendors and layers. More elegant options like secure password manager-style sync or automatic cloud propagation of Passkeys between platforms are needed. Until then, users will endure a disconnected experience that damages trust in Passkey security.

Burden of Managing Multiple Keys

With Passkeys, users have to track multiple public/private key pairs across their different devices and browser instances. Revoking access by deleting keys adds complexity since users need to be careful to delete the proper key for each platform. Private keys may also still be visible after public keys are deleted on the server side, creating user confusion.

Additional measures around adding recovery options, stepping up authentication levels when new devices are detected, capturing user agent strings, and further user education can help ease the transition to Passkeys. But fundamentally, more work needs to be done to improve cross-platform interoperability and simplify the user experience before Passkeys are ready to fully displace passwords.


Don't password managers solve these issues already?

password managers improve convenience by storing long random passwords. However, serious vulnerabilities remain unaddressed:

  • Single point of failure - one master password unlocks the kingdom

  • Cloud backups allow mass decryption in worst case

  • Phishable master keys still leave infrastructure breachable

  • Account lockouts, resets still plague users

By removing secrets altogether, passkeys overcome lingering risks.

Why trust biometrics more than passwords?

No biometric data gets exposed externally with passkeys. Your physical authenticator device uses fingerprint scans and facial recognition locally when unlocking the accounts assigned to it.

Passkeys introduce device-centric protocols binding your identity to registered hardware under your control. The secrets enabling access never leave your possession.

How does my smartwatch work as a passkey?

Wearables like watches can store passkeys then communicate via Bluetooth with nearby devices when authenticating, likely requiring a PIN as well.

This allows tapping your watch to seamlessly login on a computer for example. Super convenient!

What if I lose all my passkey devices?

Losing hardware with registered passkeys risks account access interruption, no doubt. Robust identity recovery protections are still being built out.

But passkeys offer stronger baseline security factors making individual breaches extremely unlikely. Account recovery won't depend on easily crackable secrets either once restored.

I expect rapid innovations minimizes this adoptability friction point ASAP!

What is the key value proposition of passkeys?

Passkeys eliminate the security pitfalls and fatigue plaguing password-based authentication by binding your digital identity to hardware authenticators only you control.

Asa profile image


Asa is a mononymous person and has been passionate about technology since in middle school. Asa has taken on the role of an editor at AFP1.