If you are tired of memorizing passwords for all of your online accounts over the years, then give passkeys a try.
You might have noticed that many online services are now offering the option of using passkeys, a digital authentication method touted as an easier and more secure way to log in. The passkey push started gaining major momentum after Google started accepting them about 18 months ago.
Passkeys are seen as eventual replacements for passwords, but if you are still not sure what they are all about here is what you need to know:
WHAT ARE PASSKEYS? AND HOW DO THEY WORK?
Forget about memorizing an optimized 14 character password consisting of letters, numbers, and symbols. Passkeys do away with that because you never need to see them. Instead you are using existing biometrics like your face or fingerprints, digital patterns, or PINs to access your accounts.
Passkeys are made up of two parts of a code that only makes sense when they are combined, kind of like a digital key and padlock. You keep half of the encrypted code, typically stored either in the cloud with a compatible password manager or on a physical security dongle. The other half is stored on the participating apps, services, or accounts you want to access.
When you want to log in to your Gmail account, for example, both parts of the code will then communicate directly with each other and give you entry.
DO THEY OFFER BETTER SECURITY?
A passkey will not work with any website except the one it has been created for, eliminating the security risks associated with traditional passwords.
That means bad actors carrying out phishing scams will not be able to trick you into entering your details into a copycat login page for your bank. And because passkeys use cryptographic security, they also cannot brute force their way into your account by trying passwords exposed in previous data breaches or guessing them.
WHERE CAN YOU USE PASSKEYS?
Some 20% of the world’s top 100 websites now accept passkeys, said Andrew Shikiar, CEO of the FIDO Alliance, an industry group that developed the core authentication technology behind passkeys.
Passkeys first came to the public’s attention when Apple added the technology to iOS in 2022. They got more traction after Google started using them in 2023. Now, many other companies including PayPal, Amazon, Microsoft, and eBay work with passkeys. There is a list on the FIDO Alliance website.
Still, some popular sites like Facebook and Netflix have not started using them yet. Passkey technology is still in the “early adoption” phase but “it’s just a matter of time for more and more sites to start offering this,” Shikiar said.
HOW TO SET UP A PASSKEY
I tried setting up passkeys for some of the major online services I use. It was fairly easy for some but confusing for others. Shikiar said his group is constantly working on ways to improve the user experience.
Google users can go to myaccount.google.com and under “How to sign in to Google”, click Passkeys and security keys. Upon reaching the setup screen, I received a prompt to create a passkey while simultaneously my password manager’s browser plug-in popped up offering to save it. I clicked to confirm and the setup work was all done automatically.
So far, pretty easy. Then, I tried adding more Google passkeys to my Windows-based work laptop and a Yubico physical security key. This time, when I got to the Google setup screen, it asked for my existing passkey to confirm my identity. But then it somehow failed to authenticate through my password manager.
I tried again using other verification methods, including my Google authenticator app that I already had on my iPhone, and it eventually succeeded.
Adding multiple passkeys to my Microsoft account — one on my password manager, another on my Yubico key — involved some head scratching over a few of the prompts, but I eventually figured it out.
Setting up passkeys on LinkedIn and Amazon was much easier. And when I attempted to add a passkey to my WhatsApp account, I discovered I had, apparently, already created one months earlier when I activated the app lock feature requiring a fingerprint scan.
LOGGING IN
Once set up, it was a breeze to sign in to some of my accounts with just a click or two. But there was some friction with my PayPal account because its passkeys do not work on some browsers, like Firefox.
When I tried to log in with my Amazon passkey, it asked for a one-time verification code from my authenticator app, which confused me because I thought passkeys were supposed to eliminate the need for multi-factor authentication.
Shikiar said it depends on the site, but, in theory, the passkey already has enough protection built in.
“When the primary factor’s un-phishable, other factors aren’t necessary,” he said.
WHAT HAPPENS IF I LOSE MY PASSKEY?
If you have lost the device containing your passkey, that does not necessarily mean it is gone. That is because the typical method to store passkeys on phones is a cloud-based password manager from Apple, Google, or third-party providers. So just log back into the password manager from another phone or computer.
Passkeys stored on security dongles, on the other hand, are not synced to the cloud so there is no way to recover them if they are lost. It would be a good idea to get a second hardware key and keep it as a backup.
And do not forget you can always mix both cloud and hardware methods to keep multiple passkeys for extra redundancy.
SHOULD I ADD A PASSKEYS TO ALL MY ACCOUNTS?
Based on my experience, setting up a passkey can be easy, or tedious and bewildering, depending on the service and what other security technology you want to layer in.
So I would not recommend doing all your accounts right away.
Instead, choose a few of your most important and frequently used services or accounts and focus on a proper setup for those.
WHAT ABOUT MY PASSWORDS?
In theory, you could delete your old passwords. Some services like Microsoft already offer this option. Shikiar said it should be a “personal preference,” because “some people may feel extremely nervous” about going passwordless.
It is fine to keep your password but make sure there is also multi-factor authentication set up for it.